Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Comparing two fields in different format from two different sources

amsagg
Observer
‎02-16-2021 06:18 PM

Hi Everyone,

I am trying to use  a lookup table and an index to get an output as a comparison of two fields from two different sources

lookup has a field that is in the format like this (fieldA)
aaa
ddd
fff


index has a field that is in the format like this (fieldB)

aaa.ccc.com
ddd.ccc.com
eee.ccc.com

index=stream_dns dest_asset_tag=*dns OR dest_asset_tag=A | append
[| inputlookup dnslookup.csv | table fieldA | rename fieldA as fieldB ] | stats count by  dest, fieldB

The result should look like the missing fields from comparison of fieldA and fieldB in this format
eee
fff


Labels (5)
Labels
Tags (1)
0 Karma
Reply

Kwip
Contributor
‎02-17-2021 11:22 AM

Hi @amsagg Try Something like below,

index=stream_dns dest_asset_tag=*dns OR dest_asset_tag=A
| rex field=fieldB "(?<fieldB>[^\.]+)"  ## To extract first portion to match with your lookup filed value
| table fieldB
| eval Flag="1"
| append
[| inputlookup dnslookup.csv
| table fieldA
| rename fieldA as fieldB
| eval Flag="1"]
| eventstats sum(Flag) Flag by fieldB
| dedup fieldB
| where Flag=1 ##If the field value exists in both index & lookup, the flag will be set to 2. Hence filtering to 1
| table fieldB

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2021 12:33 AM

Firstly, you should convert aaa.ccc.com to aaa otherwise they will not match

Secondly, if you only want the mismatches, and not any detail, you could dedup fieldB before the append

Then, when you count by fieldB, if your count is greater than 1, it appears in both then index and the lookup, otherwise it is a difference

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...