Hi All,

I have a splunk query which i cannot get to work for the life of me:  This is the search

|inputlookup feeds.csv | fields "Threat Feed" |table "Threat Feed" |eval observed=1
|append [search index=main sourcetype="feeds" source="/opt/splunkforwarder/bin/scripts/stats.sh" type=feed
|rename dn as "Threat Feed" customerID as companyId |table "Threat Feed" companyId
| join companyId
[| dbxquery query="mysql query" ]
|eval observed = 0]
|stats min(observed) as observed values(customerId) as cs by "Threat Feed" | where observed =1

Current Result:

Threat Feed (column name)
Feed55 <<< Correct feed that should not exist in any of the customers

The csv file only has a column named Threat Feed, there are five rows only.

The search results are around 25 different feeds per customer (50 customers)

I am interested in showing which feeds from the CSV do not exist in the search results i.e from the 25 feeds, i need this by customer so that i can create an alert.

At the moment i am getting an output of the 1 feed name that doesnt exist, but i cant link this to the customer as the csv file does not have a customerID field as its a generic file.