Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to compare CSV data with Splunk data?

Khuzair81
Path Finder
‎01-25-2023 02:55 AM

Please help with the query on how to compare CSV data with Splunk event and get those data in result which is not available in csv.

Thanks

Labels (2)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-25-2023 03:02 AM

Hi @Khuzair81,

I assume you have a lookup as lookup.csv contains src field and trying to compare src field values in your events src field does not exist in lookup.

You can try the below as a sample.

index=_internal NOT [|inputlookup lookup.csv | fields src | format]

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 03:00 AM

It depends on what you have in your events and what you have in your csv.

If there is always a field in the csv which isn't in the events, you could use lookup to find all the matching events and where the extra field is null, no match was found.

If all fields in the csv appear in the event fields, you could append the csv with inputlookup and the use stats to count the occurrences of all the fields from the csv and where the count is 1 and the event came from the index search, it is missing from the csv.

0 Karma
Reply

Khuzair81
Path Finder
‎01-25-2023 03:11 AM

Hi, in the CSV file in there is a field.  

Brand : Puma, Adidas

SplunkEvents

Brand : Puma, Adidas, Nike, Gucci, LV

I want the result as

Brand : Nike, Gucci, LV

 

 

 

 

 

 

 

 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎01-25-2023 03:15 AM

With such a simple csv, @scelikok approach is easier.

index=<your index> NOT [|inputlookup <your csv> | format]
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...

Network to App: Observability Unlocked [May & June Series]

In today’s digital landscape, your environment is no longer confined to the data center. It spans complex ...

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...