Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Splunk Lookup compare with index

Krish14
Explorer
‎09-29-2023 10:26 AM

Query to output missing data in lookup file.


I have a lookup file with below data

country_name
--------------------

Brazil
Norway


My index search returns below data for field(country_name)

Brazil
Norway
Spain

------------------------------------------------------------------


How do I write a query (using join or append)- to output  only "Spain" in the results.

Thanks!


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Thulasinathan_M
Contributor
‎09-29-2023 11:05 AM

Try this, it works for me

index=index
| stats count by country_name
| join type=left country_name
    [| inputlookup tests.csv
    | stats count as Exists by country_name]
| fillnull Exists value=0
| where Exists=0

 

View solution in original post

Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-29-2023 10:39 AM

Couldn't able to test this, but should work. Please let me know if it doesn't work.

index=index country_name
| table country_name
| join type=left country_name
    [search 
| inputlookup 
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0

 

0 Karma
Reply
Solved! Jump to solution

Krish14
Explorer
‎09-29-2023 10:55 AM

Looks like there is a syntax error "search" keyword 
I removed it and tried with below, however,  the output has all the data from index.

We are only interested to output data from index - that is not present in lookup.

index=index country_name
| table country_name
| join type=left country_name
[ | inputlookup 
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0

 

0 Karma
Reply
Solved! Jump to solution
Solution

Thulasinathan_M
Contributor
‎09-29-2023 11:05 AM

Try this, it works for me

index=index
| stats count by country_name
| join type=left country_name
    [| inputlookup tests.csv
    | stats count as Exists by country_name]
| fillnull Exists value=0
| where Exists=0

 

Reply
Solved! Jump to solution

Krish14
Explorer
‎09-29-2023 11:11 AM

Excellent, Works fine for me too. Thank you for prompt response! Much appreciated!

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-29-2023 11:13 AM

Happy that worked for you!!  🙂

Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Build the Future of Agentic AI: Join the Splunk Agentic Ops Hackathon

AI is changing how teams investigate incidents, detect threats, automate workflows, and build intelligent ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...