Getting Data In

Compare splunk query with lookup and output the what is different in the query

Builder

I have a splunk query that gives me the different values of an appid and csv file which has a single field called appid .I want to write a query which will give the appid that is not there in csv but in the search.

Thanks in advance

0 Karma
1 Solution

Builder

index=alteryx name="test" dedup appid | table appid id | eval Observed=1
| append [| inputlookup testcoll.csv | table appid | eval Observed=0 ] | stats min(Observed) as Observed vby appid | where Observed=1

View solution in original post

0 Karma

Builder

index=alteryx name="test" dedup appid | table appid id | eval Observed=1
| append [| inputlookup testcoll.csv | table appid | eval Observed=0 ] | stats min(Observed) as Observed vby appid | where Observed=1

View solution in original post

0 Karma

Builder

This worked

0 Karma

Influencer

Use sub-search to filter unwanted values:

index=INDEXNAME NOT [| inputlookup csv_file_name.csv | fields appid]

Since appid is the only field you can use this:

 index=INDEXNAME NOT [| inputlookup csv_file_name.csv]
0 Karma

Builder

not getting any results

0 Karma

Influencer

Try this:

index=INDEXNAME NOT [| inputlookup csv_file_name.csv | rename appid as apps{}.appId | fields apps{}.appId]
0 Karma

Builder

@manjunathmeti .Hey I have renamed the field from field aliases .I want to let you know that the appid is a multivalue field. that is why the NOT is not working

0 Karma

Influencer

Can you give some sample values of appid field?

0 Karma

Builder

5db0666317580917c00bb814
5db0666317580917c00bb333
5db0666317580917c00bb999

0 Karma

Influencer

Then you can do this:

index=INDEXNAME NOT [| inputlookup csv_file_name.csv | eval appid="*".appid."*" | format]
0 Karma

Builder

try this:

index=aaa | fields appid | join type=outer | [search |inputlookup yourfile.csv ]
0 Karma

Builder

I am getting the below error
Error in 'SearchParser': Subsearches are only valid as arguments to commands. Error at position '89' of search query 'search index=abc|rename "apps{}.appId" as ap...{snipped} {errorcontext = e=outer | [search |in}'.

0 Karma