Solved: See what values match in a specified field between...

atebysandwich · ‎03-10-2023

I have two look up and both have a field called DNS. I need to figure out which values in those fields match. I have tried the below per a different thread, which in theory is what I'm looking for, but I kept getting an error (Error in 'from' command: Invalid dataset specifier) at the join command on line 3.

Similar issue but solution didn't work

| inputlookup Test1.csv
| fields UserName, Count | rename Count as Count1
| join type=inner UserName
[| inputlookup Test2.csv
| fields UserName, Count | rename Count as count2]

richgalloway · ‎03-10-2023

Check the search log to see if there's better information about that error.

This query might give you the results you want.

| inputlookup Test1.csv
| fields UserName, Count | rename Count as Count1
| append [ | inputlookup Test2.csv
  | fields UserName, Count | rename Count as count2 ]
| stats values(*) as * by UserName

---
If this reply helps you, Karma would be appreciated.

View solution in original post

yuanliu · ‎03-10-2023

Instead of expensive join, you can simply perform a lookup which is efficient.

| inputlookup Test1.csv
| fields UserName, Count | rename Count as Count1
| lookup Test2.csv UserName OUTPUT Count as count2
| where isnotnull(count2)

richgalloway · ‎03-10-2023

Check the search log to see if there's better information about that error.

This query might give you the results you want.

| inputlookup Test1.csv
| fields UserName, Count | rename Count as Count1
| append [ | inputlookup Test2.csv
  | fields UserName, Count | rename Count as count2 ]
| stats values(*) as * by UserName

---
If this reply helps you, Karma would be appreciated.

See what values match in a specified field between lookups?

fields

join

lookup

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms