Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare lookup to an index?

Manik_
Engager
‎11-07-2022 02:09 PM

Hey all,
Looking for some assistance on this splunk search. I've looked at other examples but for some reason I'm unable to replicate that with our data set.

Currently have:

 

 

index=DB DNS="*aws.amazon.com*"
| dedup DNS
| stats count by DNS
| lookup dataFile hostname AS DNS OUTPUT hostname as matched
| eval matched=if(isnull(matched), "No Match", "Matched")
| stats sum(count) BY matched

 

 

So what this is doing is matching the Index and lookup file name DataFile by the DNS name and it just gives me the count of what matches and the count of what doesn't have a match in dataFile.

However, I'm looking for this but essentially flipped. I need the results of the lookup table "dataFile" to be the base set of data and compare that to the index named DB so that it displays the count of assets not matched in the index.

I've tried something like this:

 

 

index=DB DNS="*aws.amazon.com*"
 [|inputlookup dataFile
  | rename hostname as host
  | fields host]
| lookup dataFile hostname as DNS output hostname
| stats values(hostname) as host

 

 

but no it just keeps parsing so something is wrong here. Not sure what may be the best approach here.

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2022 03:19 PM

Use this

index=DB DNS="*aws.amazon.com*"
| dedup DNS
| stats count by DNS
| eval isIx=1
| append [
  | inputlookup dataFile
  | rename hostname as DNS
  | eval isIx=0
]
| stats max(isIx) as isIx values(count) by DNS
| eval matched=if(isIx=0, "No Match", "Matched")
| stats sum(count) BY matched

What you are doing is searching the index data, marking those as finds_in_index (isIx) and then appending the lookup file and marking them as not index finds.

Then join them together and those with isIx set to 1 were index finds, the others not.

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎11-07-2022 03:19 PM

Use this

index=DB DNS="*aws.amazon.com*"
| dedup DNS
| stats count by DNS
| eval isIx=1
| append [
  | inputlookup dataFile
  | rename hostname as DNS
  | eval isIx=0
]
| stats max(isIx) as isIx values(count) by DNS
| eval matched=if(isIx=0, "No Match", "Matched")
| stats sum(count) BY matched

What you are doing is searching the index data, marking those as finds_in_index (isIx) and then appending the lookup file and marking them as not index finds.

Then join them together and those with isIx set to 1 were index finds, the others not.

Reply
Solved! Jump to solution

Manik_
Engager
‎11-08-2022 01:32 PM

Thank you, this was great!

All I did was add a where clause for the inputlookup and it worked great to compare and filter by column

|inputlookup dataFile where hostname="*aws.amazon.com*"
| fields hostname

 

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎11-08-2022 03:44 PM

If the question is solved, please accept the solution so others can benefit

Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Community Content Calendar, September edition

Welcome to another insightful post from our Community Content Calendar! We're thrilled to continue bringing ...

Splunkbase Unveils New App Listing Management Public Preview

Splunkbase Unveils New App Listing Management Public PreviewWe're thrilled to announce the public preview of ...

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you leveraging automation to its fullest potential in your threat detection strategy?Our upcoming Security ...