How edit my search to display a missing field from...

cg1992 · ‎10-04-2015

I have two CSV files: one is has Server and Customer Name and the other also has the same, but it comes from RV Tools report. I am trying to get missing fields in the first CSV to get updated from the second, but it seems that it is totally getting replaced. My current search is below:

source="Customer.CSV" NOT customer="*"| fields server_name,customer | rename server_name as hostname | join hostname [search source="*RVTools_tabvInfo.csv"|fields hostname, Annotation | rename Annotation as customer]|table hostname, customer | dedup hostname

Example for Customer.csv
HDC01 A
HDC02

HDC03 C

Example for RVTools.csv

HDC01 A1
HDC02 B
HDC03 C1

Desired output
HDC02 B

With the search above, I get the same output as RVTools.csv. Please help out in correcting the search.

sfatnass · ‎10-05-2015

try this:

| join type = inner hostname

////////

however you can use

set diff [search source="Customer.CSV" NOT customer="*"| fields server_name,customer | rename server_name as hostname][search source="*RVTools_tabvInfo.csv"|fields hostname, Annotation | rename Annotation as customer]|table hostname, customer | dedup hostname

How edit my search to display a missing field from one table that is found in another table?

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!