How to compare 2 different Fields between 2 lookup...

HPACHPANDE · ‎12-28-2023

Lookup 1 : Contains fields such as AssetName FQDN and IP Address
Lookup 2 : Contains fields such as Host Index and source type

Expected Output : Need to compare host value from lookup 2 with FQDN and IP address in Lookup 1 and output must be missing devices details

dtburrows3 · ‎12-28-2023

If I correctly understood what you are asking for I was able to achieve it by doing this.

| inputlookup <lookup_2>
    ``` checking for match against host field from lookup_2 against the FQDN field in lookup_1 ```
    | lookup <lookup_1> FQDN as host OUTPUT FQDN as host_match
    ``` checking for match against host field from lookup_2 against the IP field in lookup_1 ```
    | lookup <lookup_1> IP as host OUTPUT IP as ip_match
    ``` coalesce the fqdn and ip matches into one field ```
    | eval
        asset_match=coalesce(host_match, ip_match)
    | fields - host_match, ip_match
    ``` filter off hosts that matches were found for ```
    | where isnull(asset_match)

Example of lookup_1:

Example of lookup_2:

Example of final output:

You can see in the final output that the only 2 entries returned are ones who's host values do not have any matches against FQDN or IP in lookup_1.

How to compare 2 different Fields between 2 lookups and output must be missing items

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?