Splunk Search

How to find out which field values from logs that are not found in a CSV file?

chlily
New Member

The abclogs index contains a field call "userid" and there is similar field "identity" in the file totalname.csv. Now I run the search as below to try to find out those userid which are not in the file totalname.csv

index=abclogs | stats count by userid | eval userid=lower(userid) | fields userid NOT [|inputlookup totalname.csv | eval identity=lower(identity) | fields identity]

Here is the result:
⚠ Error in 'fields' command: Invalid argument: 'identity='jamessmith'

No idea how to fix it.

0 Karma

woodcock
Esteemed Legend

Like this:

index=abclogs | stats count by userid | eval userid=lower(userid) | search NOT [|inputlookup totalname.csv | eval identity=lower(identity) | fields identity]

And if you like, tack on | fields userid.

0 Karma

woodcock
Esteemed Legend

Did this work?

0 Karma

pradeepkumarg
Influencer

you will have to rename indentity as userid in your sub search


index=abclogs | stats count by userid | eval userid=lower(userid) | fields userid NOT [|inputlookup totalname.csv | eval identity=lower(identity) | rename identity as userid | table userid]

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!