Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

How to find the difference in field values between two lookups

Jasper
Loves-to-Learn Lots
‎06-01-2022 07:52 AM

Hello all,

I had a question that I have been trying to figure out how to address within a concise SPL query. 

I have two lookups with a field name of X, lookup1 and lookup2 have all these values populated and I am trying to find a query to output the difference in field values for X between the two lookups. 

lookup1's X value has a Multi-value field, where as lookup2 is only single values.

E.g.

Lookup1 has field values:

Banana

Apple

Oranges

 

Lookup2 has field values:

Banana

 

Expected output from desired query:

Apple

Oranges

 

Is there a way to do this between these two lookups with the above in mind? This seems feasible with one lookup, but comparing two lookups has proven to be difficult. Any support would be appreciated!

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2022 08:13 AM 
| inputlookup lookup1
| append [| inputlookup lookup2]
| stats count by field
| where count = 1
0 Karma
Reply

Jasper
Loves-to-Learn Lots
‎06-02-2022 06:34 AM

Thanks for the reply, I could see this working out however I used an alternative approach I would like to share that worked for my purposes. This syntax issue initially was causing some frustration.

 

| from inputlookup:1 | search NOT [ | inputlookup2 ]

 

This logic I believe works only if the first field names are in alignment, can append a pipe and field after inputlookup2 to help this logic work out. This was the most concise query I could find.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Observability Simplified: Combining User Experience, Application Performance & ...

Tech Talk Observability Simplified: Combining User Experience, Application Performance & Network ...

Event Series May & June: From Network Visibility to Service Intelligence

Unifying the Network: Moving from Alert Noise to Service Intelligence with Splunk ITSI In today’s hybrid ...

Global Splunk User Group Events: May + June 2026

Your Splunk Community Awaits: Discover Upcoming User Group Events Worldwide    Staying ahead in the fast-paced ...