Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Using Lookup files and identifying the changes in each file

madakkas
Explorer
‎02-12-2018 08:05 PM

Hi All,

I have a question that I am trying to solve …

I have two files which I can upload to be used as inputlookup.csv

Sample as below
tab1.csv
Date Col1 Col2 Col3 Col4 Col5
1-Jan-18 Y N N N N
2-Jan-18 Y N N N N
3-Jan-18 Y Y Y Y Y
4-Jan-18 Y Y Y Y Y
5-Jan-18 Y Y Y Y Y
6-Jan-18 Y Y Y Y Y
7-Jan-18 Y N N N Y
8-Jan-18 Y N N N Y
9-Jan-18 Y Y N Y Y
10-Jan-18 Y Y Y Y Y

tab2.csv

Date Col1 Col2 Col3 Col4 Col5
1-Jan-18 Y N N N N
2-Jan-18 Y N N N N
3-Jan-18 Y Y Y Y Y
4-Jan-18 N Y Y Y Y
5-Jan-18 Y Y Y Y Y
6-Jan-18 Y Y Y Y Y
7-Jan-18 Y N N N Y
8-Jan-18 Y N N N Y
9-Jan-18 Y Y Y Y Y
10-Jan-18 Y Y Y Y Y

I am looking for a way to join these two tables and sort the areas where there is a change as below

Date Col1 Col2 Col3 Col4 Col5 Output
4-Jan-18 N

9-Jan-18 Y

|inputlookup tab1.csv
|lookup tab2.csv Date Col1 Col2.

this gives me a complete set of results along with the mismatched columns. How can i remove all except the mismatched columns.

thank You in advance.

Tags (3)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎02-13-2018 07:54 PM

@madakkas,
copied your sample to the letter. here is a screenshot.
can you double checkalt text

View solution in original post

Preview file
69 KB
0 Karma
Reply
Solved! Jump to solution
Solution

adonio
Ultra Champion
‎02-13-2018 07:54 PM

@madakkas,
copied your sample to the letter. here is a screenshot.
can you double checkalt text

Preview file
69 KB
0 Karma
Reply
Solved! Jump to solution

madakkas
Explorer
‎02-13-2018 08:05 PM

Sorry mate , I had the dates in two different formats and hence the whole differences where thrown up . It did get the work moving, but is there a way we can identify the column which had the change ?

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-14-2018 03:10 AM

i am puzzled by it as well. trying to come up with a solution and will post it here once i figure it out

0 Karma
Reply
Solved! Jump to solution

madakkas
Explorer
‎02-14-2018 03:23 AM

I did something as below , though it is a bit complicated. Will as well wait for your advise if you have any simpler thoughts.

Kind of created a macro as below

|inputlookup tab1.csv| append [inputlookup tab2.csv]
|table Date $col_num$
|chart count over Date by $col_num$ |eval col_name = "$col_num$" |where N = 1 or Y = 1
|table Date col_name

and then will have to do an append to call the macro multiple times with the number of columns available.

0 Karma
Reply
Solved! Jump to solution

adonio
Ultra Champion
‎02-13-2018 07:55 AM

try this out as a base maybe we can work form there:

 | inputlookup tab2.csv
    | search NOT [| inputlookup tab1.csv ]

this will give you the entire line in which there was a change
hope it helps a little

0 Karma
Reply
Solved! Jump to solution

madakkas
Explorer
‎02-13-2018 06:33 PM

it just gave me the entire tab2.csv, not the differences in them .

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...