Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Lookup compare with index

Krish14
Explorer
‎09-29-2023 10:26 AM

Query to output missing data in lookup file.


I have a lookup file with below data

country_name
--------------------

Brazil
Norway


My index search returns below data for field(country_name)

Brazil
Norway
Spain

------------------------------------------------------------------


How do I write a query (using join or append)- to output  only "Spain" in the results.

Thanks!


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Thulasinathan_M
Communicator
‎09-29-2023 11:05 AM

Try this, it works for me

index=index
| stats count by country_name
| join type=left country_name
    [| inputlookup tests.csv
    | stats count as Exists by country_name]
| fillnull Exists value=0
| where Exists=0

 

View solution in original post

Reply
Solved! Jump to solution

Thulasinathan_M
Communicator
‎09-29-2023 10:39 AM

Couldn't able to test this, but should work. Please let me know if it doesn't work.

index=index country_name
| table country_name
| join type=left country_name
    [search 
| inputlookup 
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0

 

0 Karma
Reply
Solved! Jump to solution

Krish14
Explorer
‎09-29-2023 10:55 AM

Looks like there is a syntax error "search" keyword 
I removed it and tried with below, however,  the output has all the data from index.

We are only interested to output data from index - that is not present in lookup.

index=index country_name
| table country_name
| join type=left country_name
[ | inputlookup 
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0

 

0 Karma
Reply
Solved! Jump to solution
Solution

Thulasinathan_M
Communicator
‎09-29-2023 11:05 AM

Try this, it works for me

index=index
| stats count by country_name
| join type=left country_name
    [| inputlookup tests.csv
    | stats count as Exists by country_name]
| fillnull Exists value=0
| where Exists=0

 

Reply
Solved! Jump to solution

Krish14
Explorer
‎09-29-2023 11:11 AM

Excellent, Works fine for me too. Thank you for prompt response! Much appreciated!

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Communicator
‎09-29-2023 11:13 AM

Happy that worked for you!!  🙂

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...