Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: help to write the request correctly
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-21-2021
11:24 AM
Hello guys!!
help to write the request correctly. otherwise I don't understand how to do it right
file.csv
| username | ip_address_old | id_old | desti |
| John | 192.168.11.5 | 1234 | abcd |
index = IndexName
| usernem | ip_address_new | id_new | desti |
| John | 172.168.15.10 | 4321 | bsir |
Where id_old != id_new. output
| usernem | ip_address_new | id_new | desti | id_old |
| John | 172.168.15.10 | 4321 | bsir | 1234 |
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-24-2021
08:04 AM
index=IndexName
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_oldThanks !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-21-2021
02:01 PM
Try something like this:
index=IndexName
| table username ip_address_new id_new desti
| lookup username file.csv OUTPUT id_old
| where id_new!=id_old- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-24-2021
08:04 AM
index=IndexName
| table username ip_address_new id_new desti
| lookup file.csv username OUTPUT id_old
| where id_new!=id_oldThanks !!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-22-2021
04:37 AM
Error in 'lookup' command: Could not construct lookup 'username, file.csv, OUTPUT, id_old'.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
10-22-2021
07:00 AM
Could you provide the actual query you tried? You may have added commas instead of spaces in lookup command. See this for syntax and example of lookup command:
https://docs.splunk.com/Documentation/SCS/current/SearchReference/LookupCommandExamples
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
gitingua
Communicator
10-24-2021
07:52 AM
index = index
| table username src_ip asn
| lookup username user.csv OUTPUT asn_old
| where asn != asn_old
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
nmohammed
Builder
10-21-2021
01:47 PM
can you share your search query that you're trying for this result ?
Get Updates on the Splunk Community!
Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps
It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...
What’s New in Splunk Observability – September 2025
What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...
Fun with Regular Expression - multiples of nine
Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...
