Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Lookup compare with index

Krish14
Explorer
‎09-29-2023 10:26 AM

Query to output missing data in lookup file.


I have a lookup file with below data

country_name
--------------------

Brazil
Norway


My index search returns below data for field(country_name)

Brazil
Norway
Spain

------------------------------------------------------------------


How do I write a query (using join or append)- to output  only "Spain" in the results.

Thanks!


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Thulasinathan_M
Contributor
‎09-29-2023 11:05 AM

Try this, it works for me

index=index
| stats count by country_name
| join type=left country_name
    [| inputlookup tests.csv
    | stats count as Exists by country_name]
| fillnull Exists value=0
| where Exists=0

 

View solution in original post

Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-29-2023 10:39 AM

Couldn't able to test this, but should work. Please let me know if it doesn't work.

index=index country_name
| table country_name
| join type=left country_name
    [search 
| inputlookup 
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0

 

0 Karma
Reply
Solved! Jump to solution

Krish14
Explorer
‎09-29-2023 10:55 AM

Looks like there is a syntax error "search" keyword 
I removed it and tried with below, however,  the output has all the data from index.

We are only interested to output data from index - that is not present in lookup.

index=index country_name
| table country_name
| join type=left country_name
[ | inputlookup 
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0

 

0 Karma
Reply
Solved! Jump to solution
Solution

Thulasinathan_M
Contributor
‎09-29-2023 11:05 AM

Try this, it works for me

index=index
| stats count by country_name
| join type=left country_name
    [| inputlookup tests.csv
    | stats count as Exists by country_name]
| fillnull Exists value=0
| where Exists=0

 

Reply
Solved! Jump to solution

Krish14
Explorer
‎09-29-2023 11:11 AM

Excellent, Works fine for me too. Thank you for prompt response! Much appreciated!

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-29-2023 11:13 AM

Happy that worked for you!!  🙂

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

SOK it to Me: Top 3 Benefits of Using Splunk Operator on Kubernetes that’ll Make ...

    Thursday, July 9, 2026  |  11:00AM–12:00PM PDT Duration: 1 hour (includes Q&A) Managing can feel like a ...

Upgrade Prep for 10.4, Network Observability Deep Dives, and More from Splunk Lantern

Splunk Lantern is Splunk’s customer success center that provides practical guidance from Splunk experts on key ...

Splunk Developer Day announcements: AI agents, MCP tools, Forecasting, and Custom ...

Splunk Developer Day was packed with product and platform updates for developers building in the AI ...