Difference between lookup and search - i only want...

greekleo89 · ‎05-12-2022

Hi All,

I have a splunk query which i cannot get to work for the life of me: This is the search

|inputlookup feeds.csv | fields "Threat Feed" |table "Threat Feed" |eval observed=1
|append [search index=main sourcetype="feeds" source="/opt/splunkforwarder/bin/scripts/stats.sh" type=feed
|rename dn as "Threat Feed" customerID as companyId |table "Threat Feed" companyId
| join companyId
[| dbxquery query="mysql query" ]
|eval observed = 0]
|stats min(observed) as observed values(customerId) as cs by "Threat Feed" | where observed =1

Current Result:

Threat Feed (column name)
Feed55 <<< Correct feed that should not exist in any of the customers

The csv file only has a column named Threat Feed, there are five rows only.

The search results are around 25 different feeds per customer (50 customers)

I am interested in showing which feeds from the CSV do not exist in the search results i.e from the 25 feeds, i need this by customer so that i can create an alert.

At the moment i am getting an output of the 1 feed name that doesnt exist, but i cant link this to the customer as the csv file does not have a customerID field as its a generic file.

greekleo89 · ‎05-16-2022

bump bump....

Difference between lookup and search - i only want the unique value from the lookup that doesnt exist in the search

join

lookup

metadata

stats

tstats

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!