Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

lookup csv file

kacel
New Member
‎07-02-2019 02:55 AM

good morning ,
i have some issues on splunk now if some one can help me ;
the is a discription of my csv :

|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |

so what i want to do is to ignore the line where Hostname == Parent and only from the side of Hostname what i mean is it can be a lot of values equal to V1 on Parent .but in hostname its apear one time
thank all.

Tags (1)
0 Karma
Reply

renjith_nair
Legend
‎07-03-2019 05:53 AM

@kacel,

Are you looking for something similar ?

    | inputlookup your_lookup.csv
    | eventstats values(Parent) as _tmp
    | eval found=if(isnull(mvfind(_tmp,Hostname)),0,1)  | where found!=1
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

kacel
New Member
‎07-03-2019 02:03 AM

i want to compare all values on colum Parent with Hostname values
and if there is an equal then ignore the first line and not all lines so in esult
|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

target
|Hostname |VersionSoftware | Parent |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

0 Karma
Reply

sandeepmakkena
Contributor
‎07-03-2019 10:37 AM

| inputlookup my_csv
| eventstats values(Parent) as parent_tmp
| eval found=if(isnull(mvfind(parent_tmp,Host)),0,1) | where found!=1
| table Host Parent Version

This gives what you are looking for.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎07-02-2019 05:13 AM

| inputlookup yourlookup.csv
| where hostname!=parent

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-02-2019 05:58 AM

If those are exactly right example, then case matters!

Working off this more or less perfect answer...

| inputlookup yourlookup.csv
| where Hostname!=Parent

give that a try!

If it doesn't work, please provide what it DOES give you back, and where it's wrong. And what you wanted instead.

Happy Splunking!
Rich

Reply

kacel
New Member
‎07-02-2019 05:44 AM

thank you for answer,
but your proposition doesnt work .
i had false result
i think that i must use a loop fixing hostname and iterating on parent .
thanks if u have something-eles

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎07-02-2019 05:56 AM

@kacel, Please be careful to "Add comment" when replying to a particular answer instead of "Post Your Answer To This Question". I moved this comment to where it belongs for you.

Unless of course you found your own answer and are helping everyone else by writing it down here!

Anyway - no worries, it's not a big deal, just something to be careful of!

Happy Splunking,
Rich

0 Karma
Reply
Get Updates on the Splunk Community!

Application management with Targeted Application Install for Victoria Experience

  Experience a new era of flexibility in managing your Splunk Cloud Platform apps! With Targeted Application ...

Index This | What goes up and never comes down?

January 2026 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Splunkers, Pack Your Bags: Why Cisco Live EMEA is Your Next Big Destination

The Power of Two: Splunk + Cisco at "Ludicrous Scale"   You know Splunk. You know Cisco. But have you seen ...