Splunk Search

How to create exception list by comparing two tables .

Hema_Nithya
Explorer

 

 

 

How to get the exception from the below tables. Exception is John who is not HR table .

 

 

User list from the servers.

 

Name ID 
Bill23
Peter24
john 25

 

HR Table 

Name ID 
Bill 23
Peter 24
Anita27
Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps something like

| inputlookup servers.csv where NOT [|inputlookup HR.csv | format]
---
If this reply helps you, Karma would be appreciated.
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Using subsearch results in large number of OR operators.  It's probably more economic just doing stats

| inputlookup servers.csv
| eval CSV = "servers"
| inputlookup append=true HR.csv
| fillnull CSV value=HR
| stats values(CSV) as CSV by Name ID
| where mvcount(CSV) == 1 AND CSV == "servers"

(Again, thanks @richgalloway for demonstrating append mode!)

0 Karma
Get Updates on the Splunk Community!

Security Professional: Sharpen Your Defenses with These .conf25 Sessions

Sooooooooooo, guess what. .conf25 is almost here, and if you're on the Security Learning Path, this is your ...

First Steps with Splunk SOAR

Our first step was to gather a list of the playbooks we wanted and to sort them by priority.  Once this list ...

How To Build a Self-Service Observability Practice with Splunk Observability Cloud

If you’ve read our previous post on self-service observability, you already know what it is and why it ...