Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Create a Report of lookup table values minus search results

ejwade
Contributor
‎11-13-2017 05:33 PM

I have a search returning all the uuids of firewall policies used in the last 30 days:

sourcetype=fortinet_fortigate_syslog vd=mgt policyid!=0 | table poluuid | dedup poluuid

I have a CSV containing a master list of all policy uuids configured on the firewall.

/opt/splunk/etc/system/lookups/uuids.csv

I would like to construct a search so I can return the values from uuids.csv, less the search results of the uuids from the last 30 days. This is backwards compared to a lookup search I've created in the past. Any ideas?

0 Karma
Reply

hardikJsheth
Motivator
‎11-13-2017 09:33 PM

You can also try using append command to merge results of two queries and then filter the results where count =1 as follows:

sourcetype=fortinet_fortigate_syslog vd=mgt policyid!=0 | dedup poluuid | rename poluuid as uuid | table uuid | append [|inputlookup uuid.csv | table uuid] | stats count by uuid | search count =1  |table uuid.
0 Karma
Reply

cmerriman
Super Champion
‎11-13-2017 05:41 PM

Have you tried using the ‘set diff’ command?
http://docs.splunk.com/Documentation/Splunk/7.0.0/SearchReference/Set

Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...