Hi All,
I have a splunk query which i cannot get to work for the life of me: This is the search
|inputlookup feeds.csv | fields "Threat Feed" |table "Threat Feed" |eval observed=1
|append [search index=main sourcetype="feeds" source="/opt/splunkforwarder/bin/scripts/stats.sh" type=feed
|rename dn as "Threat Feed" customerID as companyId |table "Threat Feed" companyId
| join companyId
[| dbxquery query="mysql query" ]
|eval observed = 0]
|stats min(observed) as observed values(customerId) as cs by "Threat Feed" | where observed =1
Current Result:
Threat Feed (column name)
Feed55 <<< Correct feed that should not exist in any of the customers
The csv file only has a column named Threat Feed, there are five rows only.
The search results are around 25 different feeds per customer (50 customers)
I am interested in showing which feeds from the CSV do not exist in the search results i.e from the 25 feeds, i need this by customer so that i can create an alert.
At the moment i am getting an output of the 1 feed name that doesnt exist, but i cant link this to the customer as the csv file does not have a customerID field as its a generic file.
bump bump....