Getting Data In

How to edit my inputlookup subsearch to return field values from the csv only if the values were not found?

TobiasBoone
Communicator
index=audit /collect earliest=-300d [inputlookup serials2check | fields serial | multikv fields serial | rename serial as query]

This search works perfect for pulling a list of serial numbers that internal audit needs to check to see if they have been on our premise in the past 300 days. Pulls in a list of 300 plus serial numbers and essentially does a big OR statement in the middle from the csv.

What I would like to know is how to return the serial number from the csv input lookup ONLY IF it was not found. I've been scratching my head for a while and cannot get my head wrapped around how to invert this logic using the pipeline.

markthompson
Builder

Take a look at the Eval match, you could use a simple if statement,

eval Exists=if(match(Field,"REGEX"), TRUE, FALSE)

Then just table the ones where Exists is equal to false.

0 Karma

TobiasBoone
Communicator

I looked at the eval function and just can't figure out how to take a negative result from an individual subsearch item and return a value from it. If the serial numbers from the input list were a one to one ratio with what was in the assets index, I could just do a NOT, but unfortunately the assets index contains many more thousand. If this were more of an interative process perhaps it would be possible. Should the input lookup occur first passing the values into the search and then into the eval?

0 Karma

markthompson
Builder

In your lookup table, you might be able to use

eval Exists=if(match(Field,), TRUE, FALSE)

Which might pass the value through to the match statement, see if it can find it, then add a where clause just before your table.

0 Karma

somesoni2
Revered Legend

Could you please explain more about the requirement here? When do you want to return serial numbers from inputlookup?

0 Karma

TobiasBoone
Communicator

Scenario... take a list of serial numbers and see if they are actively checking into the asset management system logs. There are two parts to this report from central audit.
1. This is working -- see who is using the computer serial numbers and where.
2. This is what I am looking for -- show me those serial numbers from initial list that did not return results because they are missing...

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...