Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk query to compare a field from search with a field from lookup and find the unmatched ones

srivardhini92
Observer
‎11-20-2023 06:39 AM

Hi Can you please let me know how to frame splunk query compare a field from search with a field from lookup and find the unmatched ones from the lookup table

Labels (1)
Labels
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎11-20-2023 07:02 AM

The general form is

<<some search that returns field 'foo'>> NOT [ | inputlookup mylookup.csv | field foo ]

If the lookup file does not contain 'foo' then you'll need a rename command to change what it has to 'foo'.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎11-20-2023 07:28 AM

@richgalloway's solution is one of the possible answers. It has its pros and cons. The other possibility is to search for all events, do a lookup on them and find non-matched ones.

<your_search>
| lookup your_lookup match_field OUTPUT match_field AS new_match_field
| where isnull(new_match_field

 Typically you'd use mine option later in the search pipeline while @richgalloway 's solution would probably be more suitable in the initial search.

Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...