Yes, such use cases are quite common, simple, and it is not always appropriate to use lookup table. In fact, correlation search is the most fundamental strength of Splunk. Meanwhile, you do want to...
See more...
Yes, such use cases are quite common, simple, and it is not always appropriate to use lookup table. In fact, correlation search is the most fundamental strength of Splunk. Meanwhile, you do want to consider whether it is appropriate to compare the two sourcetypes in the same time search period. This said, your final table is not very illustrative for the statement "make a table using fields from sourcetype B that do not exist in sourcetype A" because IP is nowhere in that table. Mind-reading 1: I will insert src_ip into the table. More critically, you did not illustrate what you mean exactly by "compare (IPs from sourcetype A) against a larger set of IPs". In the end result, do you want to list IPs in sourcetype B that do not exist in sourcetype A? Mind-reading 2: I will assume no on this. index=paloalto (sourcetype=sourcetype_B OR sourcetype=sourcetype_A)
| stats values(field_A) as field_A values(field_B) as field_B values(field_C) as field_C values(sourcetype) as sourcetype by src_ip
| where sourcetype == sourcetype_A
| fields - sourcetype Here, the filter uses a side effect of Splunk's equality comparator on multivalue fields. (There are more semantically expressive alternatives but most people just use this shortcut.)