Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Print Id's which are not present in Index search?

RahulMisra
Engager
‎08-24-2023 06:45 AM

I have a lookup file( with one column combinedrules{}) which would be dynamic and i want to run a scheduled search to print ID's that are not present in the index search(has same column combinedrules{}).

 

Lookup File

combinedrules{}

324252

543246

search

 

 

Combinedrules{} Search(index) Inputlookup file
324252 No Yes
432324 No Yes
Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-24-2023 06:55 AM

Hi @RahulMisra,

you could try something like this:

index=your_index
| eval Combinedrules{}=lower(Combinedrules{})
| stats count BY Combinedrules{}
| append [ | inputlookup your_lookup.csv | eval Combinedrules{}=lower(Combinedrules{}), count=0, lookup_check="yes" | fields Combinedrules{} count lookup_check ]
| fillnull value="no" lookup_check
| stats 
   sum(count) AS total 
   values(lookup_check) AS lookup_check
   dc(lookup_check) AS lookup_check_count
   BY Combinedrules{}
| eval 
   search_index=if(total=0,"no","yes),
   lookup_check=if(lookup_check_count=1,lookup_check,"yes")
| table Combinedrules{} search_index lookup_check

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-25-2023 04:13 AM

Just one last thing, i am getting desired results on stats ( as per my lookup file)

RahulMisra_1-1692961946831.png

 

but , events are not aliighning to stats

RahulMisra_0-1692961914095.png

RahulMisra_2-1692961999840.png

 

 

0 Karma
Reply
Solved! Jump to solution

aromanauskas
Path Finder
‎08-24-2023 04:08 PM

You have a couple different ways to do this.  if you have say 10000 items in the lookup table.. but 10Million in the index many of which are NOT in the lookup then you probably want to use it as part of the search. 

index=<indexname> [ | inputlookup <filename> | fields combinedrules{} | format] 
| append [ | inputlookup <filename> | eval sourcetype=lookupfile ]
|stats dc(sourcetype) AS sources by combinedrules{} 
| eval Search_Index=if(sources > 1,"Yes","No")
| eval Inputlookup_File = "Yes"

If you want to know if a value is IN the index but not the lookup file.. then: 

index=<indexname>
| append [ | inputlookup <filename> | eval sourcetype=lookupfile ]
|stats dc(sourcetype) AS sources values(sourcetype) AS sourcetype by combinedrules{} 
| eval Search_Index=if(sources > 1 OR NOT match(sourcetype,"(lookupfile)"),"Yes","No")
| eval Inputlookup_File =if(match(sourcetype,"(lookupfile)"),"Yes","No")
|fields combinedrules{},Search_Index,Inputlookup_File


0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 06:59 AM 
<index search>
| dedup combinedrules
| eval found="Index"
| append
  [| inputlookup lookupfile
  | eval found="Lookup"]
| chart count by combinedrules found
| where isnull(Index) OR (Index==0 AND Lookup==1)
0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-24-2023 08:59 AM

RahulMisra_0-1692892727012.png

No data coming in.

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 09:32 AM

Are you using the correct field names? (Fieldnames are case-sensitive)

0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-24-2023 09:29 AM

I got some data after removing dedup

RahulMisra_0-1692895341985.png

 

combinedrules{}

3000041
959073
981248

 

I want to see what events are there is search which has these Id's.

 

This is the combined rules field containing on raw events : "combinedrules": ["3900006", "3900007", "3900013", "3900020", "3900021", "3900036", "970901"

 

Appreciate your help.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-24-2023 06:55 AM

Hi @RahulMisra,

you could try something like this:

index=your_index
| eval Combinedrules{}=lower(Combinedrules{})
| stats count BY Combinedrules{}
| append [ | inputlookup your_lookup.csv | eval Combinedrules{}=lower(Combinedrules{}), count=0, lookup_check="yes" | fields Combinedrules{} count lookup_check ]
| fillnull value="no" lookup_check
| stats 
   sum(count) AS total 
   values(lookup_check) AS lookup_check
   dc(lookup_check) AS lookup_check_count
   BY Combinedrules{}
| eval 
   search_index=if(total=0,"no","yes),
   lookup_check=if(lookup_check_count=1,lookup_check,"yes")
| table Combinedrules{} search_index lookup_check

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-24-2023 02:51 PM

getting error:

 

 Error in 'EvalCommand': The expression is malformed. Expected ).

0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-25-2023 03:14 AM

@gcusello  I am getting the desired results.  Accepting the solution. 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-25-2023 03:17 AM

Hi @RahulMisra ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...