Splunk Search

How to compare two CSVs and see what's missing from the original?

Communicator

Hi, consider these two CSVs

septemberheros.csv:

name    alias       best_power       origin
clark   superman     flight          krypton
bruce   batman       wealth          earth
diane   wonderwoman  strength     paradise_island

octoberheros.csv

name    alias       best_power       origin
clark   superman    ice_breath       krypton
diane   wonderwoman  strength     paradise_island

I need a search that will compare these two CSV files and display events that are missing/changed from the first CSV file (septermberheros.csv). With this example the result should look like this since the batman row was deleted and flight was changed to ice_breath in the superman row:

name    alias       best_power       origin
clark   superman     flight          krypton
bruce   batman       wealth          earth
0 Karma

Communicator

Additional note for context: My real data has thousands of events. Each event is a device with an ip, mac, etc. I would just like to be able to compare two inventory CSVs from separate days to see which devices are missing or changed.

0 Karma

SplunkTrust
SplunkTrust

You'd need a primary key based on which things can be compared, what would that primary key be in your real data? or in your sample data.

0 Karma

Communicator

@somesoni2 By primary key do you refer to a field(s) or field value(s)? If so, the fields to compare against should be name and alias and best_power and origin (in reality I'd need to see if ip's or mac addresses, etc. have been changed or are missing. But I also need to be able to see that the bruce row has been deleted completely.

0 Karma