Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Splunk Lookup compare with index

Krish14
Explorer
‎09-29-2023 10:26 AM

Query to output missing data in lookup file.


I have a lookup file with below data

country_name
--------------------

Brazil
Norway


My index search returns below data for field(country_name)

Brazil
Norway
Spain

------------------------------------------------------------------


How do I write a query (using join or append)- to output  only "Spain" in the results.

Thanks!


Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Thulasinathan_M
Contributor
‎09-29-2023 11:05 AM

Try this, it works for me

index=index
| stats count by country_name
| join type=left country_name
    [| inputlookup tests.csv
    | stats count as Exists by country_name]
| fillnull Exists value=0
| where Exists=0

 

View solution in original post

Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-29-2023 10:39 AM

Couldn't able to test this, but should work. Please let me know if it doesn't work.

index=index country_name
| table country_name
| join type=left country_name
    [search 
| inputlookup 
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0

 

0 Karma
Reply
Solved! Jump to solution

Krish14
Explorer
‎09-29-2023 10:55 AM

Looks like there is a syntax error "search" keyword 
I removed it and tried with below, however,  the output has all the data from index.

We are only interested to output data from index - that is not present in lookup.

index=index country_name
| table country_name
| join type=left country_name
[ | inputlookup 
| stats count as Exist by country_name]
| fillnull Exist value=0
| where Exist=0

 

0 Karma
Reply
Solved! Jump to solution
Solution

Thulasinathan_M
Contributor
‎09-29-2023 11:05 AM

Try this, it works for me

index=index
| stats count by country_name
| join type=left country_name
    [| inputlookup tests.csv
    | stats count as Exists by country_name]
| fillnull Exists value=0
| where Exists=0

 

Reply
Solved! Jump to solution

Krish14
Explorer
‎09-29-2023 11:11 AM

Excellent, Works fine for me too. Thank you for prompt response! Much appreciated!

0 Karma
Reply
Solved! Jump to solution

Thulasinathan_M
Contributor
‎09-29-2023 11:13 AM

Happy that worked for you!!  🙂

Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...