Splunk Search

lookup csv file

kacel
New Member

good morning ,
i have some issues on splunk now if some one can help me ;
the is a discription of my csv :

|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |

so what i want to do is to ignore the line where Hostname == Parent and only from the side of Hostname what i mean is it can be a lot of values equal to V1 on Parent .but in hostname its apear one time
thank all.

Tags (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@kacel,

Are you looking for something similar ?

    | inputlookup your_lookup.csv
    | eventstats values(Parent) as _tmp
    | eval found=if(isnull(mvfind(_tmp,Hostname)),0,1)  | where found!=1
Happy Splunking!
0 Karma

kacel
New Member

i want to compare all values on colum Parent with Hostname values
and if there is an equal then ignore the first line and not all lines so in esult
|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

target
|Hostname |VersionSoftware | Parent |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

0 Karma

sandeepmakkena
Contributor

| inputlookup my_csv
| eventstats values(Parent) as parent_tmp
| eval found=if(isnull(mvfind(parent_tmp,Host)),0,1) | where found!=1
| table Host Parent Version

This gives what you are looking for.

0 Karma

jkat54
SplunkTrust
SplunkTrust

| inputlookup yourlookup.csv
| where hostname!=parent

0 Karma

Richfez
SplunkTrust
SplunkTrust

If those are exactly right example, then case matters!

Working off this more or less perfect answer...

| inputlookup yourlookup.csv
| where Hostname!=Parent

give that a try!

If it doesn't work, please provide what it DOES give you back, and where it's wrong. And what you wanted instead.

Happy Splunking!
Rich

kacel
New Member

thank you for answer,
but your proposition doesnt work .
i had false result
i think that i must use a loop fixing hostname and iterating on parent .
thanks if u have something-eles

0 Karma

Richfez
SplunkTrust
SplunkTrust

@kacel, Please be careful to "Add comment" when replying to a particular answer instead of "Post Your Answer To This Question". I moved this comment to where it belongs for you.

Unless of course you found your own answer and are helping everyone else by writing it down here!

Anyway - no worries, it's not a big deal, just something to be careful of!

Happy Splunking,
Rich

0 Karma
Get Updates on the Splunk Community!

Registration for Splunk University is Now Open!

Are you ready for an adventure in learning?   Brace yourselves because Splunk University is back, and it's ...

Splunkbase | Splunk Dashboard Examples App for SimpleXML End of Life

The Splunk Dashboard Examples App for SimpleXML will reach end of support on Dec 19, 2024, after which no new ...

Understanding Generative AI Techniques and Their Application in Cybersecurity

Watch On-Demand Artificial intelligence is the talk of the town nowadays, with industries of all kinds ...