Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to compare two CSV files with multiple rows

vulnfree
Explorer
‎12-04-2019 10:25 AM

I am looking to compare two CSV files to output a change or addition.
Example:

File 1:
User Date Status
Dave 1/1 New
Linda 1/2 Old
Bob 1/3 Old

File 2:
User Date Status
Dave 1/1 Old
Dave 1/2 New
Linda 1/2 Old
Tony 1/8 New

If the user from File 1 matches File 2 and either row "date" and "status" have changed then output that information plus any new additions. Expected output

User Date Status
Dave 1/1 Old
Dave 1/2 New
Tony 1/8 New

0 Karma
Reply

dindu
Contributor
‎12-04-2019 01:36 PM

Hi,
You could use the "join " command to achieve functionality.
Please try the below functionality.Please let us know whether it worked.

index=source_file1 souretype=source_file1
|table Date,Status,User
|join type=inner User 
|[search index=source_file2 souretype=source_file2  
|eval Date_file2=Date,Status_file2=Status
|table Date_file2,Status_file2]
|eval match_date=if(Date_file2==Date,1,0),match_status=if(Status_file2==Status,1,0)
|where match_date=1 OR match_status=1
|table User,Date,Status
Reply
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...