Reporting
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find missing values from different lookups?

Mary666
Communicator
‎11-20-2020 06:23 PM

I have two different lookups and I need to compare and find the missing employee names. If present in one lookup it should display yes and if not present it should display no. Here is an example. 

Lookup 1:

Sam

Sheila

James

Lookup 2: 

Sam

Sheila

James

Tom

Then create two columns and display yes or no if name is present or not. 

Employee Names Lookup 1 Lookup 2
Sam YES Yes
Sheila YES Yes
James YES Yes
Tom No Yes
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Mary666
Communicator
‎12-11-2020 05:20 PM

I figured it out,

So here I am comparing lookups. If name is in lookup 1 display Yes otherwise No, if in lookup 2 display yes otherwise no. 

I had used static values on my dropdown filter for the dashboard. Therefore, the 0,2,1--- 0 means its in both reports, 2 means its in Lookup 1, and 1 means its in lookup 2. 

| New Field Name Created to identify the name=if(Lookup_1="Yes", if(Lookup_2="Yes",0,2),1) 

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎11-21-2020 01:31 AM

Read the first lookup, evaluate a variable unique to that lookup if there isn't one already. Append the other lookup with a unique value for that lookup. Do a stats values(lookup1unique) values(lookup2unique) by employee name. Then where either lookup1unique is null or lookup2unique is null, you have a missing employee name

0 Karma
Reply
Solved! Jump to solution

Mary666
Communicator
‎11-21-2020 11:19 PM

@ITWhisperer 

I'm new to Splunk and I am still struggling with the concept. I was able to join the lookups, and all their different values are listed, but I am still not able to get Yes where the Employee Name exists or No - which could be in either CSV.  I would like to have 2 separate column  for each CSV and under it either a yes or a no. Any advice at this point is greatly appreciated. 

I think my main issue is just getting to find away to use the csv as a filed in Splunk. 

| inputlookup  Employee_Names1.csv  | inputlookup append=t Emplyee_Names2.csv | rename "First Name" as FirstName "Title" as Role

| eval  Emplyee=if(Employee_Names1.csv ="EmplyeeName","Yes", "No") 
| eval  Emplyee=if(Emplyee_Names2.csv ="EmplyeeName","Yes", "No") 
| stats values(Employee_Names1.csv) as List1, values(Emplyee_Names2.csv) as List2 by Emplyee name

 

0 Karma
Reply
Solved! Jump to solution
Solution

Mary666
Communicator
‎12-11-2020 05:20 PM

I figured it out,

So here I am comparing lookups. If name is in lookup 1 display Yes otherwise No, if in lookup 2 display yes otherwise no. 

I had used static values on my dropdown filter for the dashboard. Therefore, the 0,2,1--- 0 means its in both reports, 2 means its in Lookup 1, and 1 means its in lookup 2. 

| New Field Name Created to identify the name=if(Lookup_1="Yes", if(Lookup_2="Yes",0,2),1) 

 

0 Karma
Reply
Get Updates on the Splunk Community!

Building Reliable Asset and Identity Frameworks in Splunk ES

 Accurate asset and identity resolution is the backbone of security operations. Without it, alerts are ...

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

For Splunk Cloud customers, understanding and optimizing Splunk Virtual Compute (SVC) usage and resource ...

Automatic Discovery Part 3: Practical Use Cases

If you’ve enabled Automatic Discovery in your install of the Splunk Distribution of the OpenTelemetry ...