Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Filtered list

Bracha
Path Finder
‎12-04-2023 02:28 AM

Hi
I have a dashboard that displays CSV
I want to add lists for him to display that are not in the CSV
But the list I'm adding includes the records that are in the CSV
I want to create a list that will not include the records in the CSV

This code gets me the whole list

 

| index="------" interface="--"
|stats values(interface) as importers

 


This code brings me the list from the CSV

 

index="------------" code=*
| search
         [|inputlookup importers.csv
          |lookup importers.csv interfaceName OUTPUTNEW system environment timerange
          |stats
                 values(interfaceName) as importers_csv

 

 

I want a code that brings me the list without the records in the CSV
Thanks

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-04-2023 02:42 AM

Hi @Bracha ,

let me understand: in the importers.csv file you have a list of interfaces and you want to filter your results using the above lookup or you want to check if they are present in the index?

if you want to filter your results using the lookup, you can use a subsearch, putting attention that the field names in main and sub search are the same (in your case interfaceName):

index="------------" code=* [|inputlookup importers.csv | fields interfaceName ]
|stats values(interfaceName) as importers_csv

 If instead you want to know if there are interfaceNames in the lookup not present in the results of the main search, you have to run something like this:

index="------------" code=* 
| stats count BY interfaceName 
| append [ | inputlookup importers.csv | eval count=0 |fields interfaceName count ]
| stats sum(count) AS total BY interfaceName
| eval status=if(total=0,"Not present","present")
| table interfaceName status

Ciao.

Giuseppe

0 Karma
Reply

Bracha
Path Finder
‎12-04-2023 02:51 AM

Hi @gcusello 

thank you for your quick response

I have two lists

1. importers - includes many importers 

2. importers_csv - contains some of the importers from the first list

I want a list which will contain the importers that are not in the CSV file

How to do it?

 

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-04-2023 03:25 AM

Hi @Bracha ,

you have to use the first solution:

| inputlookup importers WHERE NOT [ | inputlookup importers_csv | fields interfaceName ]

put attention that the field names are the same (interfaceName).

Ciao.

Giuseppe

0 Karma
Reply

Bracha
Path Finder
‎12-04-2023 04:06 AM

@gcusello 

I want all records that not in csv

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎12-04-2023 05:10 AM

Hi @Bracha ,

with the above search you have all the records not in csv.

Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...