Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare event data with lookup data to find missing field values?

gauravu_14
Explorer
‎09-28-2023 10:01 AM

I need to compare the values of 2 fields from the Splunk data with the field-values from the lookup and find the missing values from the Splunk data and output those missing field value pairs

For ex:

index=test  sourcetype=splunk_test_data
fields: field1, field2

lookup: test_data.csv
Fields: field1, field2

The output should show missing values from the Splunk data and output those missing values

Any help would be appreciated 
Thanks

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-28-2023 12:38 PM

To find out which fields are present in the lookup and absent in the index use a subsearch, like this:

| inputlookup test_data.csv where NOT [search index=test sourcetype=splunk_test_data | fields field1 field2 | format]
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-28-2023 12:38 PM

To find out which fields are present in the lookup and absent in the index use a subsearch, like this:

| inputlookup test_data.csv where NOT [search index=test sourcetype=splunk_test_data | fields field1 field2 | format]
---
If this reply helps you, Karma would be appreciated.
Reply
Solved! Jump to solution

gauravu_14
Explorer
‎10-02-2023 03:18 AM

I would like to know which values are missing in the events compared to the lookup and output those field-values

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎10-02-2023 05:09 AM

The same search should do that.  It's a matter of how extensive the lookup file is.

---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...
Top