×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
amsagg
Observer
Member since: ‎02-16-2021
‎02-17-2021
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎02-16-2021
View All

Re: Comparing two fields in different format from ...

by in Splunk Search
‎02-17-2021 11:22 AM
‎02-17-2021 11:22 AM
Hi @amsagg Try Something like below, index=stream_dns dest_asset_tag=*dns OR dest_asset_tag=A | rex field=fieldB "(?<fieldB>[^\.]+)"  ## To extract first portion to match with your lookup filed value | table fieldB | eval Flag="1" | append [| inputlookup dnslookup.csv | table fieldA | rename fieldA as fieldB | eval Flag="1"] | eventstats sum(Flag) Flag by fieldB | dedup fieldB | where Flag=1 ##If the field value exists in both index & lookup, the flag will be set to 2. Hence filtering to 1 | table fieldB ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎02-17-2021 03:57 AM