Splunk Search

compare output of a search to a lookup file

aalaa
Path Finder

Hello ,

I have a csv lookup file that contains all Oracle services, at the same time I have a search that gives me the active services now, I need to know what the service is missing in the result of search on comparison by the csv files.

Any help please?

Tags (1)
0 Karma
1 Solution

gcusello
SplunkTrust
SplunkTrust

Hi aalaa,
if the field is called "service" both in index and in lookup, try something like this:

index=my_index
| eval service=lower(service)
| stats count BY service
| append [ | inputlookup Oracle_services.csv | eval count=0, service=lower(service) | fields count service ]
| stats sum(count) AS Total BY service
| where Total=0

In this way you have al the missing services.

If you want to list all the services displayng status, you have to replace the last row with

| eval Status=if(Total=o,"Missing","Present")
| table service Status

Bye.
Giuseppe

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi aalaa,
if the field is called "service" both in index and in lookup, try something like this:

index=my_index
| eval service=lower(service)
| stats count BY service
| append [ | inputlookup Oracle_services.csv | eval count=0, service=lower(service) | fields count service ]
| stats sum(count) AS Total BY service
| where Total=0

In this way you have al the missing services.

If you want to list all the services displayng status, you have to replace the last row with

| eval Status=if(Total=o,"Missing","Present")
| table service Status

Bye.
Giuseppe

0 Karma

aalaa
Path Finder

This search return the list of service in the csv file :

index=my_index
| eval service=lower(service)
| stats count BY service
| append [ | inputlookup Oracle_services.csv | eval count=0, service=lower(service) | fields count service ]
| stats sum(count) AS Total BY service
| eval Status=if(Total=o,"Missing","Present")
| table service Status

I want to display the name of service that not actif now

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi aalaa,
to display the list of not active services, you have to use the first choice (the one with | where Total=0 ) because the condition to identify not present services is that these services are in the lookup table (count=0) but not in the index (count>0).
Bye.
Giuseppe

0 Karma
Get Updates on the Splunk Community!

Optimize Cloud Monitoring

  TECH TALKS Optimize Cloud Monitoring Tuesday, August 13, 2024  |  11:00AM–12:00PM PST   Register to ...

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...