Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to compare inputlookup/lookup to search results and return the results from only the search?

CSULeigh
Explorer
‎09-16-2019 03:14 PM

I am searching for a user list that I have in a inputlookup/lookup CSV. I need to compare results from a search to the inputlookup/lookup list which is over 80k users and return only the new results that are not in the CSV. This is my search:

index=blahblah event_type=login
| convert timeformat="%m/%d/%Y" ctime(_time) AS date
| stats earliest(date) AS date by unique_id
| lookup userlist unique_id AS unique_id OUTPUTNEW unique_id AS match
| where isnull(match)

This does kind of work, but I believe I am hitting the max_output_limits for a subsearch.
Any help would be greatly appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

starcher
Influencer
‎09-17-2019 08:36 AM

As mentioned by @maciep there is no sub search there so no issue with limits.conf. Also to the previous comment lookups by default are case sensitive. If your data is lowercase but the column in the lookup is not then you will not get a match. Change the lookup definition to be insensitive.

index=blahblah event_type=login 
| stats min(_time) AS firstSeen by unique_id 
| lookup userlist unique_id OUTPUTNEW unique_id AS match 
| where isnull(match) 
| convert timeformat="%m/%d/%Y" ctime(firstSeen) AS date

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

starcher
Influencer
‎09-17-2019 08:36 AM

As mentioned by @maciep there is no sub search there so no issue with limits.conf. Also to the previous comment lookups by default are case sensitive. If your data is lowercase but the column in the lookup is not then you will not get a match. Change the lookup definition to be insensitive.

index=blahblah event_type=login 
| stats min(_time) AS firstSeen by unique_id 
| lookup userlist unique_id OUTPUTNEW unique_id AS match 
| where isnull(match) 
| convert timeformat="%m/%d/%Y" ctime(firstSeen) AS date
0 Karma
Reply
Solved! Jump to solution

CSULeigh
Explorer
‎09-17-2019 09:41 AM

Thank you for the help. I forgot to uncheck the case sensitivity in the lookup settings

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎09-16-2019 05:30 PM

seems like that should work...and i don't see any subsearches in there. Are you expecting to see users in your results that you don't? Or do you see users you don't expect?

is the lookup case insensitive or is all of your unique_id's in the same case in the data and in the lookup?

0 Karma
Reply
Solved! Jump to solution

CSULeigh
Explorer
‎09-16-2019 05:46 PM

when the search runs, I get results back that I should not see. I have read about the limits.conf maybe limiting the return of 10k rows.

All of the ID's are in lower case.

0 Karma
Reply
Solved! Jump to solution

maciep
Champion
‎09-17-2019 03:59 AM

I don't think that limit comes into play with lookups, but I could be wrong. I would also check to make sure that you don't have any white space around the id field in your data and the one in the lookup.

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...