I have a splunk query that gives me the different values of an appid and csv file which has a single field called appid .I want to write a query which will give the appid that is not there in csv but in the search.
Thanks in advance
index=alteryx name="test" dedup appid | table appid id | eval Observed=1
| append [| inputlookup testcoll.csv | table appid | eval Observed=0 ] | stats min(Observed) as Observed vby appid | where Observed=1
index=alteryx name="test" dedup appid | table appid id | eval Observed=1
| append [| inputlookup testcoll.csv | table appid | eval Observed=0 ] | stats min(Observed) as Observed vby appid | where Observed=1
This worked
Use sub-search to filter unwanted values:
index=INDEXNAME NOT [| inputlookup csv_file_name.csv | fields appid]
Since appid is the only field you can use this:
index=INDEXNAME NOT [| inputlookup csv_file_name.csv]
not getting any results
Try this:
index=INDEXNAME NOT [| inputlookup csv_file_name.csv | rename appid as apps{}.appId | fields apps{}.appId]
@manjunathmeti .Hey I have renamed the field from field aliases .I want to let you know that the appid is a multivalue field. that is why the NOT is not working
Can you give some sample values of appid field?
5db0666317580917c00bb814
5db0666317580917c00bb333
5db0666317580917c00bb999
Then you can do this:
index=INDEXNAME NOT [| inputlookup csv_file_name.csv | eval appid="*".appid."*" | format]
try this:
index=aaa | fields appid | join type=outer | [search |inputlookup yourfile.csv ]
I am getting the below error
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '89' of search query 'search index=abc|rename "apps{}.appId" as ap...{snipped} {errorcontext = e=outer | [search |in}'.