Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

How do I Compare field values between Lookup Table and Sourcetype and find the Delta

SplunkDash
Motivator
‎03-09-2023 10:05 PM

Hello,

I am facing issues to find delta.

I have:

Lookup Table: testaccount_holder.csv

2 Field names in Lookup: account_no and cell

index=test Sourcetype =test_account

2 Field names :  account_no and cell

Now, need to compare Lookup table with  sourcetype using these 2 fields and find all the records/rows which are exist in Lookup table but not in sourcetype. This comparison is based on these 2 fields.

Any recommendations will be highly appreciated. Thank you so much.

 

Labels (2)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2023 10:09 PM

Try this

index=test sourcetype=test_account
| stats count by account_no cell
| lookup testaccount_holder.csv account_no cell OUTPUT account_no as found
| append [
  | inputlookup testaccount_holder.csv
]
| stats values(found) as found by account_no cell
| where isnull(found)

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2023 10:09 PM

Try this

index=test sourcetype=test_account
| stats count by account_no cell
| lookup testaccount_holder.csv account_no cell OUTPUT account_no as found
| append [
  | inputlookup testaccount_holder.csv
]
| stats values(found) as found by account_no cell
| where isnull(found)
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎07-19-2023 01:55 PM

Hello @bowesmana 

Delta created using following logic is not giving the right output.  Output from that delta I found basically what we can get if you run: 

| inputlookup testaccount_holder.csv

 

Any recommendations would be appreciated. Thank you!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎03-09-2023 10:44 PM

Hello,

I have one more question related to this. I was trying show other fields which are present in Lookup Table and was using (| table account_no cell name address) at the end, but not showing up. Any recommendation will be highly appreciated. Thank you again.

index=test sourcetype=test_account
| stats count by account_no cell
| lookup testaccount_holder.csv account_no cell OUTPUT account_no as found
| append [
| inputlookup testaccount_holder.csv
]
| stats values(found) as found by account_no cell
| where isnull(found)| table account_no cell name address

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-10-2023 05:43 PM

After the stats command you will only have fields that are part of the stats, so in this case, found, account_no and cell. So, if you want to carry through address do this using the modified append and stats.

index=test sourcetype=test_account
| stats count by account_no cell
| lookup testaccount_holder.csv account_no cell OUTPUT account_no as found
``` So in the search above, you will have 3 fields
    account_no, cell and found
```
| append [
  | inputlookup testaccount_holder.csv
  ``` Now specify the fields you want from the lookup to pass through to the end result ```
  | fields account_no cell name address
]
``` and this stats command using wildcards, will carry through ANY of the fields you retain above ```
| stats values(*) as * by account_no cell
| where isnull(found)
| table account_no cell name address

 

Reply
Solved! Jump to solution

SplunkDash
Motivator
‎03-09-2023 10:29 PM

Hello,

Thank you so much for your quick response, truly appreciate it. Your SPL code is working as expected, AWESOME!!!

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2023 10:44 PM

Great! You will find this is a common pattern referred to as 'proving the negative', i.e. when the data does NOT contain what you are looking for, so you do the pattern of

1. Search Data
2. Set an indicator that it's present in data
3. Append the expected source of truth
4. Resolve the duplicates
5. Validate what is not present

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...

Deep insights, no barriers: Splunk Observability Cloud Free Edition

As software delivery cycles continue to accelerate, observability shouldn’t be a luxury — it should be a ...