Hi @Khuzair81,
I assume you have a lookup as lookup.csv contains src field and trying to compare src field values in your events src field does not exist in lookup.
You can try the below as a sample.
index=_internal NOT [|inputlookup lookup.csv | fields src | format]
It depends on what you have in your events and what you have in your csv.
If there is always a field in the csv which isn't in the events, you could use lookup to find all the matching events and where the extra field is null, no match was found.
If all fields in the csv appear in the event fields, you could append the csv with inputlookup and the use stats to count the occurrences of all the fields from the csv and where the count is 1 and the event came from the index search, it is missing from the csv.
Hi, in the CSV file in there is a field.
Brand : Puma, Adidas
SplunkEvents
Brand : Puma, Adidas, Nike, Gucci, LV
I want the result as
Brand : Nike, Gucci, LV
With such a simple csv, @scelikok approach is easier.
index=<your index> NOT [|inputlookup <your csv> | format]