Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

help on comparison between 2 lookup

jip31
Motivator
‎10-17-2019 03:18 AM

hi

I use the search below in order to retrieve the fields host ,SITE and STATUS from a lookup and to compare them with the field host in another lookup
| inputlookup host.csv
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE STATUS
| stats values(SITE) as SITE, values(STATUS) as STATUS by host

Now I need to display the host that exist in a lookup but not in another lookup
could you help me please??

Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2019 03:51 AM

Hi jip31,
do you want this in the same search or in another one?

if in another one it's easy:

| inputlookup host.csv NOT [ |inputlookup lookup_cmdb_fo_all.csv | rename HOSTNAME AS host | fields host ]
| ...

if instead you want this in the same search you have to modify your search in this way:

| inputlookup host.csv
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE STATUS
| stats values(SITE) as SITE, values(STATUS) as STATUS by host
| eval Status=if(isnull(SITE),"Not present","Present")

Ciao.
Giuseppe

View solution in original post

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎10-17-2019 03:51 AM

Hi jip31,
do you want this in the same search or in another one?

if in another one it's easy:

| inputlookup host.csv NOT [ |inputlookup lookup_cmdb_fo_all.csv | rename HOSTNAME AS host | fields host ]
| ...

if instead you want this in the same search you have to modify your search in this way:

| inputlookup host.csv
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE STATUS
| stats values(SITE) as SITE, values(STATUS) as STATUS by host
| eval Status=if(isnull(SITE),"Not present","Present")

Ciao.
Giuseppe

Reply
Solved! Jump to solution

jip31
Motivator
‎10-17-2019 03:58 AM

hi guiseppe perfect thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...