Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

help to write the request correctly

gitingua
Communicator
‎10-21-2021 11:24 AM

Hello guys!!

help to write the request correctly. otherwise I don't understand how to do it right

file.csv

usernameip_address_oldid_olddesti
John192.168.11.51234abcd

 

index = IndexName

usernemip_address_newid_newdesti
John172.168.15.104321bsir

 

Where id_old != id_new. output

usernemip_address_newid_newdestiid_old
John172.168.15.104321bsir1234
Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gitingua
Communicator
‎10-24-2021 08:04 AM 
index=IndexName 
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_old

Thanks !!

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-21-2021 02:01 PM

Try something like this:

index=IndexName 
| table username ip_address_new id_new desti
| lookup username file.csv OUTPUT id_old
| where id_new!=id_old
Reply
Solved! Jump to solution
Solution

gitingua
Communicator
‎10-24-2021 08:04 AM 
index=IndexName 
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_old

Thanks !!

0 Karma
Reply
Solved! Jump to solution

gitingua
Communicator
‎10-22-2021 04:37 AM

Error in 'lookup' command: Could not construct lookup 'username, file.csv, OUTPUT, id_old'.

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎10-22-2021 07:00 AM

Could you provide the actual query you tried? You may have added commas instead of spaces in lookup command. See this for syntax and example of lookup command: 

https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandExamples

0 Karma
Reply
Solved! Jump to solution

gitingua
Communicator
‎10-24-2021 07:52 AM

index = index

| table username src_ip asn
| lookup username user.csv OUTPUT asn_old
| where asn != asn_old

0 Karma
Reply
Solved! Jump to solution

nmohammed
Builder
‎10-21-2021 01:47 PM

@gitingua 

can you share your search query that you're trying for this result ?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Analytics Workspace deprecation

As of Splunk Cloud Platform 10.4.2604 and Splunk Enterprise 10.4, Analytics Workspace is now deprecated. ...

Splunk Developer Day Recap: Building, Publishing, and Growing on the Splunk Platform

Splunk Developer Day brought the Splunk developer community together for a practical look at what it means to ...

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...