Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Find incommon values within two Inputlookups without JOIN / Search NOT

moonie
Explorer
‎07-28-2021 01:40 AM

Hello,

I have a search where I need to combine two inputlookups to find incommon values in a field they both have. 
The inputlookups are quite big so my current search with JOIN or Search NOT are not working most of the time since they result in a timeout. 
Is there a better way to find incommon values, without join or search not? 
My current search with join looks like this:

| inputlookup table1 
| join type=left "ip" 
[| inputlookup table2 | mvexpand ip | eval xy="xy" | table ip xy]
| where isnull(xy)
| table ip

I've tried another search with NOT but it's working even worse:

| inputlookup table1 | search NOT
([| inputlookup table2 | return 10000 ip])

As I said,  both searches result in a timeout. I've been stuck with this problem for hours, so any help would be highly appreciated! 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-28-2021 02:29 AM

Append/stats

| inputlookup table2
| mvexpand ip 
| eval xy="xy"
| append [
  | inputlookup table1 
  | eval xy="ab"
]
| stats values(xy) as xy by ip
| where mvcount(xy)=1 AND xy="ab"

Will this work?

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎07-28-2021 02:29 AM

Append/stats

| inputlookup table2
| mvexpand ip 
| eval xy="xy"
| append [
  | inputlookup table1 
  | eval xy="ab"
]
| stats values(xy) as xy by ip
| where mvcount(xy)=1 AND xy="ab"

Will this work?

Reply
Solved! Jump to solution

moonie
Explorer
‎07-28-2021 02:44 AM

Yes that works perfectly!! Thank you so so  much! 🙂 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎07-28-2021 02:27 AM

Try something like this

| inputlookup table1
| append [| inputlookup table2]
| stats values(*) as * by commonfield
Reply
Solved! Jump to solution

moonie
Explorer
‎07-28-2021 02:48 AM

Unfortunately  I didn't get correct results with this solution, but thank you anyways! 
This helped me find common values instead of incommon ones 

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk App for Anomaly Detection End of Life Announcment

Q: What is happening to the Splunk App for Anomaly Detection?A: Splunk is officially announcing the ...

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...