Displaying data that is missing from a lookup tabl...

mlg · ‎10-08-2021

Hi, I am new to Splunk and working with parking records. I am trying to display parking spaces that are currently not in use.

Within my monitored data each record has the following fields:

the time data was created, which is when the car parked
permit_expiry, which is a couple of hours after the creation time
parking_space, which is a number between 1 and 99, that doesn't repeat until the permit_expiry has passed.

I also have a separate lookup table/csv file called parking_lots of all parking_space (1-99), and their respective parking_lot.

This is what I have come up with so far:

sourcetype="parking_log"
| where now() < expiry_time
| lookup parking_lots parking_space
| *display parking_space that don't appear in the above search (1-99)*

I am struggling to understand how to display the parking spaces, as well as use of the now() function.
Many thanks!

ITWhisperer · ‎10-08-2021

sourcetype="parking_log"
| where now() < expiry_time
| append [| inputlookup parking_lots]
| stats values(expiry_time) as expiry_time by parking_space
| where isnull(expiry_time)

Displaying data that is missing from a lookup table

fields

lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Automating Threat Operations and Threat Hunting with Recorded Future

Join the Conversation