Solved: How to match my lookup table?

abi2023 · ‎05-01-2023

my lookup table is history data for the search I am running. from my search and my lookup table I have command field is ID. I am trying to match the ID from my search to lookup table and display the result from lookup that not match to my search table.

lookup table name save.csv

my spl
base search | table _time field1 ID field2

_time	field1	ID	field2
02/23/23	DEMO1	1054	xyc
02/23/23	Demo2	1426	xyd

below is my lookup table

_time	field1	ID
02/23/23	DEMO1	1054
02/10/23	DEMO2	1426
02/05/23	DEMO3	8746

rut · ‎05-01-2023

So you want to display the values that are present in your lookup, but not in your search?

You could flip it by filtering your lookup by your search:

| inputlookup save.csv
| search NOT [ | ..your search.. | fields ID ]

View solution in original post

rut · ‎05-01-2023

So you want to display the values that are present in your lookup, but not in your search?

You could flip it by filtering your lookup by your search:

| inputlookup save.csv
| search NOT [ | ..your search.. | fields ID ]

How to match my lookup table?

lookup

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Are you a member of the Splunk Community?

How to match my lookup table?

lookup

Shape the Future of Splunk: Join the Product Research Lab!

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions