Splunk Search

lookup csv file

kacel
New Member

good morning ,
i have some issues on splunk now if some one can help me ;
the is a discription of my csv :

|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |

so what i want to do is to ignore the line where Hostname == Parent and only from the side of Hostname what i mean is it can be a lot of values equal to V1 on Parent .but in hostname its apear one time
thank all.

Tags (1)
0 Karma

renjith_nair
Legend

@kacel,

Are you looking for something similar ?

    | inputlookup your_lookup.csv
    | eventstats values(Parent) as _tmp
    | eval found=if(isnull(mvfind(_tmp,Hostname)),0,1)  | where found!=1
---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma

kacel
New Member

i want to compare all values on colum Parent with Hostname values
and if there is an equal then ignore the first line and not all lines so in esult
|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

target
|Hostname |VersionSoftware | Parent |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

0 Karma

sandeepmakkena
Contributor

| inputlookup my_csv
| eventstats values(Parent) as parent_tmp
| eval found=if(isnull(mvfind(parent_tmp,Host)),0,1) | where found!=1
| table Host Parent Version

This gives what you are looking for.

0 Karma

jkat54
SplunkTrust
SplunkTrust

| inputlookup yourlookup.csv
| where hostname!=parent

0 Karma

Richfez
SplunkTrust
SplunkTrust

If those are exactly right example, then case matters!

Working off this more or less perfect answer...

| inputlookup yourlookup.csv
| where Hostname!=Parent

give that a try!

If it doesn't work, please provide what it DOES give you back, and where it's wrong. And what you wanted instead.

Happy Splunking!
Rich

kacel
New Member

thank you for answer,
but your proposition doesnt work .
i had false result
i think that i must use a loop fixing hostname and iterating on parent .
thanks if u have something-eles

0 Karma

Richfez
SplunkTrust
SplunkTrust

@kacel, Please be careful to "Add comment" when replying to a particular answer instead of "Post Your Answer To This Question". I moved this comment to where it belongs for you.

Unless of course you found your own answer and are helping everyone else by writing it down here!

Anyway - no worries, it's not a big deal, just something to be careful of!

Happy Splunking,
Rich

0 Karma
Get Updates on the Splunk Community!

New in Observability - Improvements to Custom Metrics SLOs, Log Observer Connect & ...

The latest enhancements to the Splunk observability portfolio deliver improved SLO management accuracy, better ...

Improve Data Pipelines Using Splunk Data Management

  Register Now   This Tech Talk will explore the pipeline management offerings Edge Processor and Ingest ...

3-2-1 Go! How Fast Can You Debug Microservices with Observability Cloud?

Register Join this Tech Talk to learn how unique features like Service Centric Views, Tag Spotlight, and ...