Solved: Compare multiple inputlookup's

aswanda · ‎04-08-2013

I am looking for a way to compare data from multiple inputlookup csv's. Each CSV has the same exact set of fieldnames (IP, Host, Title). I know that I can list all the data from one csv by running: | inputlookup table1.csv
but I would like to search multiple table's at once and compare the results from specific fields. Is this possible in Splunk?

I imagine it's doable using a subsearch but I haven't had much luck. Things like: | inputlookup table1.csv [ | inputlookup table2.csv ] doesn't seem to work.

Anyone have any thoughts on this?
Thanks in advance!

Ayn · ‎04-08-2013

You could probably do this using set diff. Something like

| set diff [|inputlookup table1.csv] [|inputlookup table2.csv]

(So, note that set diff is used at the very start of the search)

If you want to diff on specific fields, add | field yourfieldofinterest at the end of each subsearch.

View solution in original post

Ayn · ‎04-08-2013

You could probably do this using set diff. Something like

| set diff [|inputlookup table1.csv] [|inputlookup table2.csv]

(So, note that set diff is used at the very start of the search)

If you want to diff on specific fields, add | field yourfieldofinterest at the end of each subsearch.

Compare multiple inputlookup's

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

Are you a member of the Splunk Community?

Compare multiple inputlookup's

Splunk Mobile: Your Brand-New Home Screen

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...