Difference between lookup and search - i only want...

greekleo89 · ‎05-12-2022

Hi All,

I have a splunk query which i cannot get to work for the life of me: This is the search

|inputlookup feeds.csv | fields "Threat Feed" |table "Threat Feed" |eval observed=1
|append [search index=main sourcetype="feeds" source="/opt/splunkforwarder/bin/scripts/stats.sh" type=feed
|rename dn as "Threat Feed" customerID as companyId |table "Threat Feed" companyId
| join companyId
[| dbxquery query="mysql query" ]
|eval observed = 0]
|stats min(observed) as observed values(customerId) as cs by "Threat Feed" | where observed =1

Current Result:

Threat Feed (column name)
Feed55 <<< Correct feed that should not exist in any of the customers

The csv file only has a column named Threat Feed, there are five rows only.

The search results are around 25 different feeds per customer (50 customers)

I am interested in showing which feeds from the CSV do not exist in the search results i.e from the 25 feeds, i need this by customer so that i can create an alert.

At the moment i am getting an output of the 1 feed name that doesnt exist, but i cant link this to the customer as the csv file does not have a customerID field as its a generic file.

greekleo89 · ‎05-16-2022

bump bump....

Difference between lookup and search - i only want the unique value from the lookup that doesnt exist in the search

join

lookup

metadata

stats

tstats

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases