Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to combine a csv and savedsearch and retrieve matching and unmatching results ?

kavyamohan
Explorer
‎09-09-2020 10:14 PM

I have a savedsearch which is a result of json data. Similarly I have a master csv. I have Assettag field common in both savedsearch and csv. Now, I want to combine both json and csv and get matching and unmatching results from both and also if Assettag is available in savedsearch but not in csv then it should be given Validation as Newly Scanned and if Assettag is available in csv but not in savedsearch then the Validation is Unscanned and if Assettag is available in both then it is Scanned. where Validation is a new field which should be created. How can I do this? 

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-09-2020 10:37 PM

you can modify as you need. but below is the procedure to get results what you are expecting.

| your search # here, you have got search results from saved search and result has field called tag assuming.
| eval source="savedsearch"
| append [ | inputlookup yourcsvlookup.csv | table tag | eval source="lookup"]
| stats dc(source) as dc_source values(*) as * by tag
| eval validation=case(source=="savedsearch" AND dc_source=="1","Newly scanned",source=="lookup" AND dc_source=="1","Unscanned",dc_source=="2","scanned",1=1,"Other")

 

————————————
If this helps, give a like below.

View solution in original post

Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎09-09-2020 10:37 PM

you can modify as you need. but below is the procedure to get results what you are expecting.

| your search # here, you have got search results from saved search and result has field called tag assuming.
| eval source="savedsearch"
| append [ | inputlookup yourcsvlookup.csv | table tag | eval source="lookup"]
| stats dc(source) as dc_source values(*) as * by tag
| eval validation=case(source=="savedsearch" AND dc_source=="1","Newly scanned",source=="lookup" AND dc_source=="1","Unscanned",dc_source=="2","scanned",1=1,"Other")

 

————————————
If this helps, give a like below.
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...