Getting Data In

Compare splunk query with lookup and output the what is different in the query

vrmandadi
Builder

I have a splunk query that gives me the different values of an appid and csv file which has a single field called appid .I want to write a query which will give the appid that is not there in csv but in the search.

Thanks in advance

0 Karma
1 Solution

vrmandadi
Builder

index=alteryx name="test" dedup appid | table appid id | eval Observed=1
| append [| inputlookup testcoll.csv | table appid | eval Observed=0 ] | stats min(Observed) as Observed vby appid | where Observed=1

View solution in original post

0 Karma

vrmandadi
Builder

index=alteryx name="test" dedup appid | table appid id | eval Observed=1
| append [| inputlookup testcoll.csv | table appid | eval Observed=0 ] | stats min(Observed) as Observed vby appid | where Observed=1

0 Karma

vrmandadi
Builder

This worked

0 Karma

manjunathmeti
Champion

Use sub-search to filter unwanted values:

index=INDEXNAME NOT [| inputlookup csv_file_name.csv | fields appid]

Since appid is the only field you can use this:

 index=INDEXNAME NOT [| inputlookup csv_file_name.csv]
0 Karma

vrmandadi
Builder

not getting any results

0 Karma

manjunathmeti
Champion

Try this:

index=INDEXNAME NOT [| inputlookup csv_file_name.csv | rename appid as apps{}.appId | fields apps{}.appId]
0 Karma

vrmandadi
Builder

@manjunathmeti .Hey I have renamed the field from field aliases .I want to let you know that the appid is a multivalue field. that is why the NOT is not working

0 Karma

manjunathmeti
Champion

Can you give some sample values of appid field?

0 Karma

vrmandadi
Builder

5db0666317580917c00bb814
5db0666317580917c00bb333
5db0666317580917c00bb999

0 Karma

manjunathmeti
Champion

Then you can do this:

index=INDEXNAME NOT [| inputlookup csv_file_name.csv | eval appid="*".appid."*" | format]
0 Karma

mydog8it
Builder

try this:

index=aaa | fields appid | join type=outer | [search |inputlookup yourfile.csv ]
0 Karma

vrmandadi
Builder

I am getting the below error
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '89' of search query 'search index=abc|rename "apps{}.appId" as ap...{snipped} {errorcontext = e=outer | [search |in}'.

0 Karma
Get Updates on the Splunk Community!

Splunk Observability Cloud’s AI Assistant in Action Series: Analyzing and ...

This is the second post in our Splunk Observability Cloud’s AI Assistant in Action series, in which we look at ...

Elevate Your Organization with Splunk’s Next Platform Evolution

 Thursday, July 10, 2025  |  11AM PDT / 2PM EDT Whether you're managing complex deployments or looking to ...

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...