Solved: Compare Lookup CSV with Search

sumit29 · ‎11-23-2015

Dear Experts ,

I have created the Lookup Hostname.csv(Contain only one field Hostname) which contain 100 number of hosts. I need to write a search to compare the hostname.csv with current search(List of unique hostname ) to get the new hostname come to network comparing with hostname.csv.

Lets say 101 , a new host came to network . Need to compare with hostname.csv . Display in search output

HeinzWaescher · ‎11-23-2015

sourcetype=foo NOT [inputlookup hostname.csv | fields+ host]
| stats values(host) AS new_hosts

The subsearch will exclude all known hosts from the list, so only new hosts are shown in the results

View solution in original post

HeinzWaescher · ‎11-23-2015

sourcetype=foo NOT [inputlookup hostname.csv | fields+ host]
| stats values(host) AS new_hosts

The subsearch will exclude all known hosts from the list, so only new hosts are shown in the results

Michael · ‎03-29-2017

hmm, did not work for me until I did:

index=blah [inputlookup hostname.csv | table host] | stats values(host) AS "Hosts appearing in Splunk, not on my list"

didn't use the "fields+"

Compare Lookup CSV with Search

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Event Series: Splunk Observability Metrics Cost Optimization

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Join the Conversation