Solved: get rows in lookup that does not have entry in sea...

dchoubey · ‎09-09-2020

I have a Lookup "Consumer_Lookup.csv" (30 rows approx)

Consumer Restricted

A Y

B Y

C N

Search - Index = "xyz" |stats count(Status) AS Total by ClientId|Table ClientId TOtal

ClientId Total

A 500

C 200

my requirement is to find any Consumer in Lookup with Restricted = "Y" not in the search result. Can you please advise on how to proceed. Should I use Join or any other alternative .

Thanks for your help!!

abowesman · ‎09-09-2020

@dchoubey

base_search
| append [
  | inputlookup Consumer_Lookup.csv
  | rename Consumer as ClientId
]
| stats values(*) as * by ClientId
| where isnull(Total)

will do the trick

View solution in original post

dchoubey · ‎09-09-2020

Thank you @abowesman it worked perfectly

abowesman · ‎09-09-2020

@dchoubey

base_search
| append [
  | inputlookup Consumer_Lookup.csv
  | rename Consumer as ClientId
]
| stats values(*) as * by ClientId
| where isnull(Total)

will do the trick

get rows in lookup that does not have entry in search result

join

lookup

Splunk Observability for AI

Splunk Enterprise Security 8.x: The Essential Upgrade for Threat Detection, ...

Splunk Observability as Code: From Zero to Dashboard

Are you a member of the Splunk Community?