- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: Compare splunk query with lookup and output th...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have a splunk query that gives me the different values of an appid and csv file which has a single field called appid .I want to write a query which will give the appid that is not there in csv but in the search.
Thanks in advance
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=alteryx name="test" dedup appid | table appid id | eval Observed=1
| append [| inputlookup testcoll.csv | table appid | eval Observed=0 ] | stats min(Observed) as Observed vby appid | where Observed=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=alteryx name="test" dedup appid | table appid id | eval Observed=1
| append [| inputlookup testcoll.csv | table appid | eval Observed=0 ] | stats min(Observed) as Observed vby appid | where Observed=1
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This worked
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use sub-search to filter unwanted values:
index=INDEXNAME NOT [| inputlookup csv_file_name.csv | fields appid]
Since appid is the only field you can use this:
index=INDEXNAME NOT [| inputlookup csv_file_name.csv]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
not getting any results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Try this:
index=INDEXNAME NOT [| inputlookup csv_file_name.csv | rename appid as apps{}.appId | fields apps{}.appId]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@manjunathmeti .Hey I have renamed the field from field aliases .I want to let you know that the appid is a multivalue field. that is why the NOT is not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Can you give some sample values of appid field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
5db0666317580917c00bb814
5db0666317580917c00bb333
5db0666317580917c00bb999
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then you can do this:
index=INDEXNAME NOT [| inputlookup csv_file_name.csv | eval appid="*".appid."*" | format]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try this:
index=aaa | fields appid | join type=outer | [search |inputlookup yourfile.csv ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am getting the below error
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '89' of search query 'search index=abc|rename "apps{}.appId" as ap...{snipped} {errorcontext = e=outer | [search |in}'.
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
.conf24 | Registration Open!
ICYMI - Check out the latest releases of Splunk Edge Processor
