Splunk Search

How to find out which field values from logs that are not found in a CSV file?

New Member

The abclogs index contains a field call "userid" and there is similar field "identity" in the file totalname.csv. Now I run the search as below to try to find out those userid which are not in the file totalname.csv

index=abclogs | stats count by userid | eval userid=lower(userid) | fields userid NOT [|inputlookup totalname.csv | eval identity=lower(identity) | fields identity]

Here is the result:
⚠ Error in 'fields' command: Invalid argument: 'identity='jamessmith'

No idea how to fix it.

0 Karma

Esteemed Legend

Like this:

index=abclogs | stats count by userid | eval userid=lower(userid) | search NOT [|inputlookup totalname.csv | eval identity=lower(identity) | fields identity]

And if you like, tack on | fields userid.

0 Karma

Esteemed Legend

Did this work?

0 Karma

Influencer

you will have to rename indentity as userid in your sub search


index=abclogs | stats count by userid | eval userid=lower(userid) | fields userid NOT [|inputlookup totalname.csv | eval identity=lower(identity) | rename identity as userid | table userid]