Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How do I count how many times a value of one field appears in other fields in another CSV/lookup?

russell120
Communicator
‎10-25-2018 08:55 AM

Hi, consider the below CSV files:

quickscan.csv

      ip             mac
 11.11.11.11     ab:cd:ef:gh
 22.22.22.222    ij:jk:lm:no
 33.33.333.333   pq:rs:tu:vw

ScanRecord.csv

 unknown_ip    dangerous_ip      date      location    unknown_mac     blocked_mac 
22.22.22.222   22.22.22.222    20181025    Hogwarts    ij:jk:lm:no     ij:jk:lm:no
33.33.333.333                  20181025       US       pq:rs:tu:vw

How do I take the values of the ip and mac fields and compare them against the second CSV to display the number of (specified) fields that appear withinScanRecord.csv (the fields would be unknown_ip, dangerous_ip, unknown_mac, and blocked_mac)? The result should spit out a table that looks like this:

     ip           ip_appears        mac        mac_appears
22.22.22.222          2         ij:jk:lm:no         2
33.33.333.333         1         pq:rs:tu:vw         1

EDIT: The solution needs to be scale-able and not limited to the 2-3 rows/events I have above. In reality, each of these CSVs has hundreds of rows/events.

0 Karma
Reply

DalJeanis
Legend
‎10-25-2018 11:04 AM

Here's one method...

| inputcsv ScanRecord.csv

| rename COMMENT as "this section calculates the number of times that any IP or mac appears in the ScanRecord.csv"
| eval testfields=mvappend(unknown_ip,dangerous_ip,unknown_mac,blocked_mac)
| stats count as foundcount by testfields
| eval mac=case(match(testfields,":"),testfields)
| eval mac_appears=case(match(testfields,":"),foundcount)
| eval ip=case(NOT match(testfields,":"),testfields)
| eval ip_appears=case(NOT match(testfields,":"),foundcount)
| fields - testfields foundcount
| eval typerec="scan record so kill me later"

| rename COMMENT as "add in the quickscan.csv records"
| inputcsv append=t quickscan.csv

| rename COMMENT as "this section rolls the information over from the scan records to the quickscan records then drops the scan records"
| eventstats sum(mac_appears) as mac_appears by mac
| eventstats sum(ip_appears) as ip_appears by ip
| where isnull(typerec)

Here's some run-anywhere code that folks can use to review the method...

| makeresults 
| eval mydata="22.22.22.222,22.22.22.222,Hogwarts,ij:jk:lm:no,ij:jk:lm:no!!!!33.33.333.333,NULL,US,pq:rs:tu:vw,!!!!"
| makemv delim="!!!!" mydata 
| mvexpand mydata
| makemv delim="," mydata
| eval  unknown_ip=mvindex(mydata,0)
| eval  dangerous_ip=case(mvindex(mydata,1)!="NULL",mvindex(mydata,1))
| eval  location=mvindex(mydata,2)
| eval  unknown_mac=mvindex(mydata,3)
| eval  blocked_mac=mvindex(mydata,4)
| rename COMMENT as "the above simulates entry of your ScanRecord.csv"

| rename COMMENT as "this section calculates the number of times that any IP or mac appears in the ScanRecord.csv"
| eval testfields=mvappend(unknown_ip,dangerous_ip,unknown_mac,blocked_mac)
| stats count as foundcount by testfields
| eval mac=case(match(testfields,":"),testfields)
| eval mac_appears=case(match(testfields,":"),foundcount)
| eval ip=case(NOT match(testfields,":"),testfields)
| eval ip_appears=case(NOT match(testfields,":"),foundcount)
| fields - testfields foundcount
| eval typerec="scan record so kill me"

| rename COMMENT as "this append simulates entry of your quickscan.csv"
| append 
    [| makeresults 
     | eval mydata=mvappend("11.11.11.11,ab:cd:ef:gh","22.22.22.222,ij:jk:lm:no","33.33.333.333,pq:rs:tu:vw")
     | mvexpand mydata 
     | makemv delim="," mydata 
     | eval ip=mvindex(mydata,0), mac=mvindex(mydata,1) 
     | table ip mac
     ]

| rename COMMENT as "this section rolls the information over from the scan records to the quickscan records then drops the scan records"
| eventstats sum(mac_appears) as mac_appears by mac
| eventstats sum(ip_appears) as ip_appears by ip
| where isnull(typerec)
0 Karma
Reply

russell120
Communicator
‎10-29-2018 06:47 AM

In line 5 of the first example, or line 15 in the second example, are you supposed to use eval foundcount = mvcount(testfields) since testfields stores multiple values?

0 Karma
Reply

russell120
Communicator
‎10-25-2018 01:01 PM

@DalJeanis Nice! Wow, you know your stuff. I added an edit at the very bottom of my post. Basically, the solution you provide will need to be able to work with a CSV with hundreds of rows/ips/events.

0 Karma
Reply

kmaron
Motivator
‎10-25-2018 10:26 AM

am I correct in assuming that the same ip can show up for more than one record in ScanRecord.csv?

0 Karma
Reply

mstjohn_splunk
Splunk Employee
Splunk Employee
‎11-06-2018 01:50 PM

hi @russell120

Did the answer below solve your problem? If so, please resolve this post by approving it! If your problem is still not solved, keep us updated so that someone else can help ya. Thanks for posting!

0 Karma
Reply

russell120
Communicator
‎10-25-2018 11:20 AM

@kmaron No, the ip would only appear in only one record.

0 Karma
Reply
Get Updates on the Splunk Community!

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...

Cloud Platform & Enterprise: Classic Dashboard Export Feature Deprecation

As of Splunk Cloud Platform 9.3.2408 and Splunk Enterprise 9.4, classic dashboard export features are now ...