Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to compare CSV data with Splunk data?

Khuzair81
Path Finder
‎01-25-2023 02:55 AM

Please help with the query on how to compare CSV data with Splunk event and get those data in result which is not available in csv.

Thanks

Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-25-2023 03:02 AM

Hi @Khuzair81,

I assume you have a lookup as lookup.csv contains src field and trying to compare src field values in your events src field does not exist in lookup.

You can try the below as a sample.

index=_internal NOT [|inputlookup lookup.csv | fields src | format]

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 03:00 AM

It depends on what you have in your events and what you have in your csv.

If there is always a field in the csv which isn't in the events, you could use lookup to find all the matching events and where the extra field is null, no match was found.

If all fields in the csv appear in the event fields, you could append the csv with inputlookup and the use stats to count the occurrences of all the fields from the csv and where the count is 1 and the event came from the index search, it is missing from the csv.

0 Karma
Reply

Khuzair81
Path Finder
‎01-25-2023 03:11 AM

Hi, in the CSV file in there is a field.  

Brand : Puma, Adidas

SplunkEvents

Brand : Puma, Adidas, Nike, Gucci, LV

I want the result as

Brand : Nike, Gucci, LV

 

 

 

 

 

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 03:15 AM

With such a simple csv, @scelikok approach is easier.

index=<your index> NOT [|inputlookup <your csv> | format]
Reply
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

 Prepare to elevate your security operations with the powerful upgrade to Splunk Enterprise Security 8.x! This ...

Get Early Access to AI Playbook Authoring: Apply for the Alpha Private Preview ...

Passionate about security automation? Apply now to our AI Playbook Authoring Alpha private preview ...

Reduce and Transform Your Firewall Data with Splunk Data Management

Managing high-volume firewall data has always been a challenge. Noisy events and verbose traffic logs often ...