To make it really simple:
assets1.csv :
ip,mac_address,dns_name
192.168.1.241,01:50:56:94:46:b3,a.test.com
192.168.1.240,02:60:66:84:45:b1,b.test.com
192.168.1.239,05:51:56:64:13:b6,c.test.com
test_data_ip_changes.csv :
ip,mac_address,dns_name
192.168.1.241,01:50:56:94:46:b3,a.test.com
192.168.1.240,02:60:66:84:45:b1,b.test.com
192.168.1.239,05:51:56:64:13:b6,c.test.com
192.168.1.111,00:11:22:33:44:01,a.test.de
192.168.1.112,00:11:22:33:44:02,b.test.de
192.168.1.113,00:11:22:33:44:03,c.test.de
spl :
| inputlookup test_data_ip_changes.csv
| lookup assets1.csv ip outputnew ip as ip1, mac_address as ma1
| where isnull(ip1)
The way you formed your spl:
| lookup test_data_ip_changes.csv ip OUTPUTNEW ip as TestField
| where isnull(TestField)
Splunk only picks up the already existing ip-addresses vom your test_data...csv
... View more