Splunk Search

How to create exception list by comparing two tables .

Hema_Nithya
Explorer

 

 

 

How to get the exception from the below tables. Exception is John who is not HR table .

 

 

User list from the servers.

 

Name ID 
Bill23
Peter24
john 25

 

HR Table 

Name ID 
Bill 23
Peter 24
Anita27
Labels (2)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Perhaps something like

| inputlookup servers.csv where NOT [|inputlookup HR.csv | format]
---
If this reply helps you, Karma would be appreciated.
0 Karma

yuanliu
SplunkTrust
SplunkTrust

Using subsearch results in large number of OR operators.  It's probably more economic just doing stats

| inputlookup servers.csv
| eval CSV = "servers"
| inputlookup append=true HR.csv
| fillnull CSV value=HR
| stats values(CSV) as CSV by Name ID
| where mvcount(CSV) == 1 AND CSV == "servers"

(Again, thanks @richgalloway for demonstrating append mode!)

0 Karma
Get Updates on the Splunk Community!

Deep Dive into Federated Analytics: Unlocking the Full Power of Your Security Data

In today’s complex digital landscape, security teams face increasing pressure to protect sprawling data across ...

Your summer travels continue with new course releases

Summer in the Northern hemisphere is in full swing, and is often a time to travel and explore. If your summer ...

From Alert to Resolution: How Splunk Observability Helps SREs Navigate Critical ...

It's 3:17 AM, and your phone buzzes with an urgent alert. Wire transfer processing times have spiked, and ...