Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter list of hosts from 2 lookup tables?

pavanae
Builder
‎10-19-2017 12:19 PM

I have a lookup search as follows

|inputlookup hostnames.csv

Which displays the results as follows

my_hostname

abc.com
fgb.com

Now I have another lookup as follows

| inputlookup total_hosts.csv | rename Hostname as my_hostname | table my_hostname

Which displays the results as follows

my_hostname

xyz.abc.com
abc.com
fgb.com
yhk
kjhgd.com

Now how can I filter the list of hosts that were in total_hosts.csv and not in the hostnames.csv. I'm just trying to see the list of hosts that were missing in hostnames.csv by comparing with hosts on total_hosts.csv

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-19-2017 12:25 PM

Here's how I would do that:
| inputlookup total_hosts.csv | lookup hostnames.csv my_hostname OUTPUT my_hostname AS found_hostname | where isnull(found_hostname)

Or if you are certain that all all the hostnames in hostnames.csv are in total_hosts.csv (so total_hosts.csv list is a strict superset of hostnames.csv), then I believe this should work:
| set diff [ | inputlookup total_hosts.csv ] [| inputlookup hostnames.csv]
But be forewarned that if there are any entries in hostnames.csv that weren't in total_hosts.csv, then they will also show up in this result set.

View solution in original post

Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-22-2017 07:57 PM

@pavanae - if the answer has solved your issue, please accept the answer so the question will show as closed.

0 Karma
Reply
Solved! Jump to solution
Solution

elliotproebstel
Champion
‎10-19-2017 12:25 PM

Here's how I would do that:
| inputlookup total_hosts.csv | lookup hostnames.csv my_hostname OUTPUT my_hostname AS found_hostname | where isnull(found_hostname)

Or if you are certain that all all the hostnames in hostnames.csv are in total_hosts.csv (so total_hosts.csv list is a strict superset of hostnames.csv), then I believe this should work:
| set diff [ | inputlookup total_hosts.csv ] [| inputlookup hostnames.csv]
But be forewarned that if there are any entries in hostnames.csv that weren't in total_hosts.csv, then they will also show up in this result set.

Reply
Solved! Jump to solution

elliotproebstel
Champion
‎10-19-2017 12:27 PM

One more option I just thought of:
| inputlookup total_hosts.csv | search NOT [ | inputlookup hostnames.csv | format ]
I think that's the proper syntax.

Reply
Solved! Jump to solution

DalJeanis
Legend
‎10-22-2017 07:59 PM

@elliotproebstel - Your first answer is the best technically, in my opinion. NOTs are inefficient, and set diff, as you noted, doesn't give any indication of which set the extra record may have been in.

0 Karma
Reply
Solved! Jump to solution

elliotproebstel
Champion
‎10-23-2017 11:35 AM

Thanks for the feedback. 🙂 Getting this kind of guidance is the best perk of participating in Splunk Answers.

0 Karma
Reply
Get Updates on the Splunk Community!

Observability Unlocked: Kubernetes Monitoring with Splunk Observability Cloud

 Ready to master Kubernetes and cloud monitoring like the pros? Join Splunk’s Growth Engineering team for an ...

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...