Solved: Compare inputlookup and index search

Scroogemcdougal · ‎08-25-2021

Hi,

I have a lookupfile that contains a list of hosts, (one column named hosts), this list maybe subject to change.

I want to complete a search that will compare this lookup file to hosts in any specific index and return a table showing ok or missing if there is no match.

All searches I have attempted so far are happy to return either or, is the only option here to rename the field in the hostfile or any suggestions on how to complete this?

host (from lookup file)	host (from index)	match
host1	host1	ok
host2		missing
host3	host3	ok

ITWhisperer · ‎08-25-2021

search index
| table host
| dedup host
| append
  [ | inputlookup lookupfile
    | table host
    | dedup host ]
| stats count by host
| eval match=if(count=1, "missing", "ok")

View solution in original post

ITWhisperer · ‎08-25-2021

search index
| table host
| dedup host
| append
  [ | inputlookup lookupfile
    | table host
    | dedup host ]
| stats count by host
| eval match=if(count=1, "missing", "ok")

Scroogemcdougal · ‎08-26-2021

Hey man,

Thanks so much for this worked an absolute charm

Compare inputlookup and index search

fields

join

lookup

table

Developer Spotlight with Brett Adams

Index This | What can you do to make 55,555 equal 500?

Say goodbye to manually analyzing phishing and malware threats with Splunk Attack ...