Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I compare multiple fields between two CSV files?

russell120
Communicator
‎09-11-2018 06:49 AM

Hi. I'm attempting to compare an inventory master list (lookup file) to a weekly inventory list (lookup file) displayed by Splunk to see if an unauthorized item has been added OR removed in the weekly list.

Example:
masterlookup.csv

device              hostname                  ip                      domain
router              router1234               111.11.11.111          usr.hey.spk
workstation         workstation1234          222.22.22.222          usr.hey.spk
printer             printer1234              123.12.12.123          usr.hey.spk
switch              switch1234               444.44.44.444          usr.hey.spk

week2lookup.csv

device         hostname         ip                 domain
router         router4321       211.11.11.111      usr.hey.spk
workstation    workstation1234  222.22.22.222      usr.hey.spk
printer        printer5678      999.99.99.999      usr.hey.spk

The two queries should search three fields (hostname, ip, domain) and return the router and printer device because their hostname and ip values do not match what is listed in the masterlookup.csv. I intend to have a panel display a table of what is added (the new router and printer in week2lookup.csv) and another to display what was removed (the router, printer, and switch in masterlookup.csv).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

osakachan
Communicator
‎10-23-2018 10:54 PM

Maybe this solution is not efficient but is the first one I thought

 | inputlookup masterlookup.csv 
 | eval time="old"
 | append 
     [ | inputlookup week2lookup.csv 
     | eval time="new"]
 | stats count values(time) as when by hostname, device, ip, domain
 | search count=1 when=old

Changing the field's value in the last search you can have added or removed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

osakachan
Communicator
‎10-23-2018 10:54 PM

Maybe this solution is not efficient but is the first one I thought

 | inputlookup masterlookup.csv 
 | eval time="old"
 | append 
     [ | inputlookup week2lookup.csv 
     | eval time="new"]
 | stats count values(time) as when by hostname, device, ip, domain
 | search count=1 when=old

Changing the field's value in the last search you can have added or removed.

0 Karma
Reply
Solved! Jump to solution

osakachan
Communicator
‎09-13-2018 04:18 AM

Maybe this solution is not efficient but is the first one I thought

| inputlookup masterlookup.csv 
| eval time="old"
| append 
    [ | inputlookup week2lookup.csv 
    | eval time="new"]
| stats count values(time) as when by hostname, device, ip, domain
| search count=1 when=old

Changing the field's value in the last search you can have added or removed.

Reply
Solved! Jump to solution

russell120
Communicator
‎10-23-2018 08:35 AM

@elpred0 Post this again as a new comment so that I can accept it as the answer.

0 Karma
Reply
Solved! Jump to solution

osakachan
Communicator
‎10-23-2018 11:03 PM

Done! Thank you @russell120 !!

0 Karma
Reply
Solved! Jump to solution

russell120
Communicator
‎10-23-2018 08:15 AM

This works!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...