Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

comparing data from index and input table

60150134
New Member
‎01-02-2020 09:33 PM

Hi Everyone,

Thanks for your support too.

I have indexed data of staff events from a source. One field in that data is "Surname".

I have an input table of all staff, field 1 is "Surname".

Please can you help me to report on all staff names from the input CSV that do not have events in the indexed data?

Thank you so much!

0 Karma
Reply

jpolvino
Builder
‎01-03-2020 05:50 AM

Something like this might help.

(your indexed search that returns Surname)
| stats count AS SurnameCount by Surname
| inputlookup staff_lookup.csv append=true
| chart sum(surnameCount) as abc by Surname
| eval abc=if(isnotnull(abc),abc,0)
| where abc=0

This uses a sentinel value concept, better explained here: https://conf.splunk.com/session/2015/conf2015-LookupTalk.pdf on slide 25

0 Karma
Reply
Get Updates on the Splunk Community!