Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to create a true comparison where it matches values, and provides a percentage based on matches that are true?

Minasdad
Path Finder
‎08-01-2022 07:50 AM

I've been comparing two lookup files, but its more pure arithmetic, where I am trying to implement a true comparison where it looks to match values, and provide a percentage based on which matches were true. So if I have three values in file1, and only two values match in file2, the percentage would equal to 66.6%.

 

| inputlookup file1
| eventstats dc(Serial Number) as file1_Count
| dedup file1_Count
| inputlookup append=T file2
| eventstats dc(System Serial Number) as file2_Count
| dedup file2
| fields file1_Count,file2_Count
| eval percentage=round('file2_Count'/'file1_Count'*100,2)."%"

 

Labels (2)
Labels
0 Karma
Reply

Minasdad
Path Finder
‎08-03-2022 10:30 AM

Looking back at the question its not the result I truly want. I believe this is fairly simple but keeps slipping through my fingers.  File1.csv has a field of "Serial Number" and File2.csv has a field of "System Serial Number", all I want to do is compare and produce the results that do not match.

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-03-2022 10:54 AM

Try this approach. Begin by reading one lookup file and marking the entries as "file1".  Then read in the other lookup file and mark the entries as "file2".  Rename the main column to match the first lookup.  Use the stats command to merge the two result sets together, counting them by Serial Number.  Any entry with a count less than 2 means one of the lookups was missing that value.  The "file1" or "file2" mark will tell you which file has the value so it must be missing from the other one.

| inputlookup file1
| eval src="file1"
| append [ | inputlookup file2
  | eval src="file2"
  | rename "System Serial Number" as "Serial Number"
]
| stats count, values(*) as * by 'Serial Number'
| where count < 2
| table "Serial Number" src

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-01-2022 12:57 PM

Consider writing a custom command in Python that accepts two lookup file names, compares them, and returns the percentage match in an output field.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...