Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

lookup csv file

kacel
New Member
‎07-02-2019 02:55 AM

good morning ,
i have some issues on splunk now if some one can help me ;
the is a discription of my csv :

|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |

so what i want to do is to ignore the line where Hostname == Parent and only from the side of Hostname what i mean is it can be a lot of values equal to V1 on Parent .but in hostname its apear one time
thank all.

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎07-03-2019 05:53 AM

@kacel,

Are you looking for something similar ?

    | inputlookup your_lookup.csv
    | eventstats values(Parent) as _tmp
    | eval found=if(isnull(mvfind(_tmp,Hostname)),0,1)  | where found!=1
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

kacel
New Member
‎07-03-2019 02:03 AM

i want to compare all values on colum Parent with Hostname values
and if there is an equal then ignore the first line and not all lines so in esult
|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

target
|Hostname |VersionSoftware | Parent |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

0 Karma
Reply

sandeepmakkena
Contributor
‎07-03-2019 10:37 AM

| inputlookup my_csv
| eventstats values(Parent) as parent_tmp
| eval found=if(isnull(mvfind(parent_tmp,Host)),0,1) | where found!=1
| table Host Parent Version

This gives what you are looking for.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-02-2019 05:13 AM

| inputlookup yourlookup.csv
| where hostname!=parent

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-02-2019 05:58 AM

If those are exactly right example, then case matters!

Working off this more or less perfect answer...

| inputlookup yourlookup.csv
| where Hostname!=Parent

give that a try!

If it doesn't work, please provide what it DOES give you back, and where it's wrong. And what you wanted instead.

Happy Splunking!
Rich

Reply

kacel
New Member
‎07-02-2019 05:44 AM

thank you for answer,
but your proposition doesnt work .
i had false result
i think that i must use a loop fixing hostname and iterating on parent .
thanks if u have something-eles

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-02-2019 05:56 AM

@kacel, Please be careful to "Add comment" when replying to a particular answer instead of "Post Your Answer To This Question". I moved this comment to where it belongs for you.

Unless of course you found your own answer and are helping everyone else by writing it down here!

Anyway - no worries, it's not a big deal, just something to be careful of!

Happy Splunking,
Rich

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Index This | What travels the world but is also stuck in place?

April 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data

Realizing the full potential of your Splunk investment requires more than just understanding current usage; it ...

Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...

As data volumes continue to grow and environments become more distributed, managing and optimizing data ...