Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Comparing two fields in different format from two different sources

amsagg
Observer
‎02-16-2021 06:18 PM

Hi Everyone,

I am trying to use  a lookup table and an index to get an output as a comparison of two fields from two different sources

lookup has a field that is in the format like this (fieldA)
aaa
ddd
fff


index has a field that is in the format like this (fieldB)

aaa.ccc.com
ddd.ccc.com
eee.ccc.com

index=stream_dns dest_asset_tag=*dns OR dest_asset_tag=A | append
[| inputlookup dnslookup.csv | table fieldA | rename fieldA as fieldB ] | stats count by  dest, fieldB

The result should look like the missing fields from comparison of fieldA and fieldB in this format
eee
fff


Labels (5)
Labels
Tags (1)
0 Karma
Reply

Kwip
Contributor
‎02-17-2021 11:22 AM

Hi @amsagg Try Something like below,

index=stream_dns dest_asset_tag=*dns OR dest_asset_tag=A
| rex field=fieldB "(?<fieldB>[^\.]+)"  ## To extract first portion to match with your lookup filed value
| table fieldB
| eval Flag="1"
| append
[| inputlookup dnslookup.csv
| table fieldA
| rename fieldA as fieldB
| eval Flag="1"]
| eventstats sum(Flag) Flag by fieldB
| dedup fieldB
| where Flag=1 ##If the field value exists in both index & lookup, the flag will be set to 2. Hence filtering to 1
| table fieldB

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎02-17-2021 12:33 AM

Firstly, you should convert aaa.ccc.com to aaa otherwise they will not match

Secondly, if you only want the mismatches, and not any detail, you could dedup fieldB before the append

Then, when you count by fieldB, if your count is greater than 1, it appears in both then index and the lookup, otherwise it is a difference

0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...