Solved: help on comparison between 2 lookup

jip31 · ‎10-17-2019

hi

I use the search below in order to retrieve the fields host ,SITE and STATUS from a lookup and to compare them with the field host in another lookup
| inputlookup host.csv
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE STATUS
| stats values(SITE) as SITE, values(STATUS) as STATUS by host

Now I need to display the host that exist in a lookup but not in another lookup
could you help me please??

gcusello · ‎10-17-2019

Hi jip31,
do you want this in the same search or in another one?

if in another one it's easy:

| inputlookup host.csv NOT [ |inputlookup lookup_cmdb_fo_all.csv | rename HOSTNAME AS host | fields host ]
| ...

if instead you want this in the same search you have to modify your search in this way:

| inputlookup host.csv
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE STATUS
| stats values(SITE) as SITE, values(STATUS) as STATUS by host
| eval Status=if(isnull(SITE),"Not present","Present")

Ciao.
Giuseppe

View solution in original post

gcusello · ‎10-17-2019

Hi jip31,
do you want this in the same search or in another one?

if in another one it's easy:

| inputlookup host.csv NOT [ |inputlookup lookup_cmdb_fo_all.csv | rename HOSTNAME AS host | fields host ]
| ...

if instead you want this in the same search you have to modify your search in this way:

| inputlookup host.csv
| lookup lookup_cmdb_fo_all.csv HOSTNAME as host output SITE STATUS
| stats values(SITE) as SITE, values(STATUS) as STATUS by host
| eval Status=if(isnull(SITE),"Not present","Present")

Ciao.
Giuseppe

jip31 · ‎10-17-2019

hi guiseppe perfect thanks

help on comparison between 2 lookup

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life