Solved: Re: Compare Lookup CSV with Search

sumit29 · ‎11-23-2015

Dear Experts ,

I have created the Lookup Hostname.csv(Contain only one field Hostname) which contain 100 number of hosts. I need to write a search to compare the hostname.csv with current search(List of unique hostname ) to get the new hostname come to network comparing with hostname.csv.

Lets say 101 , a new host came to network . Need to compare with hostname.csv . Display in search output

HeinzWaescher · ‎11-23-2015

sourcetype=foo NOT [inputlookup hostname.csv | fields+ host]
| stats values(host) AS new_hosts

The subsearch will exclude all known hosts from the list, so only new hosts are shown in the results

View solution in original post

HeinzWaescher · ‎11-23-2015

sourcetype=foo NOT [inputlookup hostname.csv | fields+ host]
| stats values(host) AS new_hosts

The subsearch will exclude all known hosts from the list, so only new hosts are shown in the results

Michael · ‎03-29-2017

hmm, did not work for me until I did:

index=blah [inputlookup hostname.csv | table host] | stats values(host) AS "Hosts appearing in Splunk, not on my list"

didn't use the "fields+"

Compare Lookup CSV with Search

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms