How to compare my search table to lookup table and...

karu0711 · ‎04-11-2023

I have lookup table like

Date ID Name
02/04 12547 xxx
02/04 12458 xxx
02/04 14587 xxx

I am running basesearch | table Date ID Name

Date ID Name
02/08 12547 xxx
02/08 12458 xxx
02/08 45896 xxx
02/08 47523 xxx

I want to compare my search table to lookup table and output the not match result to my search table. I try selfjoin it didnot work. Is any otherway I can do?

woodcock · ‎04-13-2023

Like this:

index="YourIndexHere" AND "sourcetype="YourSourcetypeHere"
| lookup YourLookupHere.csv Date ID Name OUTPUT Name AS MatchIfNotNull
| search NOT MatchIfNotNull="*"

yeahnah · ‎04-11-2023

Hi @karu0711

Something like this will find the base search results that are not in the lookup table.

 basesearch
| table Date ID Name
| stats values(*) AS * BY ID  ``` dedup the basesearch results by ID ```
| inputlookup append=true <add your lookup file here>   
| stats count values(*) AS * BY ID
| where count=1  ``` filter results that are not in the lookup file ```

Hope this helps

karu0711 · ‎04-12-2023

I got the not matching ID but I am getting out put table with only Date ID
Name field is not populating.

How to compare my search table to lookup table and output the not match result to my search table?

join

lookup

Observe and Secure All Apps with Splunk

Splunk Decoded: Business Transactions vs Business IQ

Fastest way to demo Observability

Are you a member of the Splunk Community?