Splunk Enterprise
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

compare 2 lookups contents

spisiakmi
Contributor
‎07-30-2025 12:01 AM

Hi, any support please.

I have 2 lookups.

tmp1_1.csv

WorkplaceId,PK1,Description,Contract
1234567890,7535712,Contract1,19
1123456789,7535712,Contract2,18
1234567890,7456072,Contract3,14
1234567890,7456072,Contract4,15
1234567891,7456072,Contract5,16

tmp1_2.csv

WorkplaceId,State,Timestamp,ContractId
1234567890,Start,1752838050,12
1234567890,End,1752838633,12
1123456789,Start,1752838853,13
1123456789,Break,1752839380,13
1123456789,End,1752839691,13
1234567890,Start,1752839720,14
1234567890,Start,1752839745,15
1234567891,Start,1752839777,16
1234567891,Start,1752839790,18
1234567890,Start,1752839892,19

 

The primary key between these tables is
WorkplaceId,Contract=WorkplaceId,ContractId

The task is always to select the content from tmp1_2.csv based on conditions

  1. cond1: select everything from tmp1_2.csv where WorkplaceId,Contract!=WorkplaceId,ContractId. In this case the result should be

WorkplaceId,State,Timestamp,ContractId
1234567890,Start,1752838050,12
1234567890,End,1752838633,12
1123456789,Start,1752838853,13
1123456789,Break,1752839380,13
1123456789,End,1752839691,13

2. cond2: select everything from tmp1_2.csv where WorkplaceId,Contract=WorkplaceId,ContractId. In this case the result should be

WorkplaceId,State,Timestamp,ContractId
1234567890,Start,1752839720,14
1234567890,Start,1752839745,15
1234567891,Start,1752839777,16
1234567891,Start,1752839790,18
1234567890,Start,1752839892,19

Any support, please?

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎07-30-2025 01:24 AM

@spisiakmi 

You want 2 different searches for your conditions like below?

Condition 1: Select rows from tmp1_2.csv where (WorkplaceId,ContractId) is NOT present in tmp1_1.csv as (WorkplaceId,Contract)

| inputlookup tmp1_2.csv
| eval key=WorkplaceId."-".ContractId
| lookup tmp1_1.csv WorkplaceId as WorkplaceId, Contract as ContractId OUTPUT PK1
| where isnull(PK1)
| table WorkplaceId, State, Timestamp, ContractId

 

Condition 2: Select rows from tmp1_2.csv where (WorkplaceId,ContractId) is present in tmp1_1.csv as (WorkplaceId,Contract)

| inputlookup tmp1_2.csv
| eval key=WorkplaceId."-".ContractId
| lookup tmp1_1.csv WorkplaceId as WorkplaceId, Contract as ContractId OUTPUT PK1
| where isnotnull(PK1)
| table WorkplaceId, State, Timestamp, ContractId

 

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

PrewinThomas
Motivator
‎07-30-2025 01:24 AM

@spisiakmi 

You want 2 different searches for your conditions like below?

Condition 1: Select rows from tmp1_2.csv where (WorkplaceId,ContractId) is NOT present in tmp1_1.csv as (WorkplaceId,Contract)

| inputlookup tmp1_2.csv
| eval key=WorkplaceId."-".ContractId
| lookup tmp1_1.csv WorkplaceId as WorkplaceId, Contract as ContractId OUTPUT PK1
| where isnull(PK1)
| table WorkplaceId, State, Timestamp, ContractId

 

Condition 2: Select rows from tmp1_2.csv where (WorkplaceId,ContractId) is present in tmp1_1.csv as (WorkplaceId,Contract)

| inputlookup tmp1_2.csv
| eval key=WorkplaceId."-".ContractId
| lookup tmp1_1.csv WorkplaceId as WorkplaceId, Contract as ContractId OUTPUT PK1
| where isnotnull(PK1)
| table WorkplaceId, State, Timestamp, ContractId

 

Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Solved! Jump to solution

spisiakmi
Contributor
‎07-30-2025 02:07 AM

Hi PrewinThomas

thank you very much. Works fantastic.

 

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Community Recap

Hello Splunkers, And just like that, .conf25 is in the books! What an incredible few days — full of learning, ...

Splunk App Developers | .conf25 Recap & What’s Next

If you stopped by the Builder Bar at .conf25 this year, thank you! The retro tech beer garden vibes were ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...