Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to create exception list by comparing two tables .

Hema_Nithya
Explorer
‎10-11-2023 09:19 AM

 

 

 

How to get the exception from the below tables. Exception is John who is not HR table .

 

 

User list from the servers.

 

Name ID 
Bill23
Peter24
john 25

 

HR Table 

Name ID 
Bill 23
Peter 24
Anita27
Labels (2)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎10-11-2023 09:49 AM

Perhaps something like

| inputlookup servers.csv where NOT [|inputlookup HR.csv | format]
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎10-11-2023 11:08 AM

Using subsearch results in large number of OR operators.  It's probably more economic just doing stats

| inputlookup servers.csv
| eval CSV = "servers"
| inputlookup append=true HR.csv
| fillnull CSV value=HR
| stats values(CSV) as CSV by Name ID
| where mvcount(CSV) == 1 AND CSV == "servers"

(Again, thanks @richgalloway for demonstrating append mode!)

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...
Top