Add row in table if value not present in the field

ngautam760 · ‎08-03-2021

I have a table output from Splunk Query(Not posting original values of table due to sensitive data)

Col_A Col_B Col_C Col_D

1 B A W

2 B A X

3 B A Y

4 B A Z

I want to apply a search in column Col_D and if any of the among above values from Col_D is not present in the column then add row in the table.

Example :

Input:

Col_A Col_B Col_C Col_D

2 B A X

3 B A Y

Expected Output :

Col_A Col_B Col_C Col_D

2 B A X

3 B A Y

- - - W not present

- - - Z not present

ITWhisperer · ‎08-03-2021

<your search>
| append [| makeresults
  | eval Col_D=split("W,X,Y,Z",",")
  | mvexpand Col_D]
| stats values(*) as * by Col_D
| where isnull(Col_A) AND isnull(Col_B) AND isnull(Col_C)
| eval Col_D=Col_D." not present"

ngautam760 · ‎08-03-2021

I tried this but on using this Its not populating the records if it matches.

Example if W is present in the table, then data of W should come in result as it is.

ITWhisperer · ‎08-03-2021

| append
    [| makeresults
    | eval Missing_D=split("W,X,Y,Z",",")
    | mvexpand Missing_D
    | table Missing_D]
| eventstats values(Col_D) as Present_D
| eval Missing_D=if(isnull(mvfind(Present_D,Missing_D)),Missing_D,null())
| where isnotnull(Missing_D) OR isnotnull(Col_A) OR isnotnull(Col_B) OR isnotnull(Col_C) OR isnotnull(ColD)
| fields - Present_D

Add row in table if value not present in the field

table

Developer Spotlight with Paul Stout

State of Splunk Careers 2024: Maximizing Career Outcomes and the Continued Value of ...

Data-Driven Success: Splunk & Financial Services