Getting Data In
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

compare 2 csv and display what is not in common

pgbr7
Explorer
‎04-27-2019 12:14 PM

Hello Guys,

I Have 2 csv,

LINUX.csv

"Linux Computer"
U-0050
U-0060
U-0065
U-0068
U-0070

DEFENDER.csv

"All Computer"
U-0040
U-0060
U-0065
U-0068
U-0070
U-0073

I try display where DEFENDER.csv != LINUX.csv, in this case the returns are :
U-0040 , U-0073.

I try :

inputlookup LINUX.csv | append [| inputlookup DEFENDER.csv ]
|where "All Computer" != "Linux Computer"

OR

inputlookup LINUX.csv | eval computer="Linux Computer" | append [| inputlookup DEFENDER.csv |eval computer2="All Computer"] | where computer2 != computer

OR

inputlookup LINUX.csv | append [| inputlookup DEFENDER.csv | rename "All Computer" as "Linux Computer"] | stats count by "Linux Computer" | where count > 1

But don't work.

Any suggestions ?

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-27-2019 04:02 PM

You'll want lists looking like this:

computer,type
U-0050,Linux

Then you can search like this:

| inputlookup a.csv | inputlookup append=t b.csv
| stats values(type) as types by computer
| search NOT types="Linux"

If you can't change your lists you can turn them into this too:

| inputlookup LINUX.csv | eval type="Linux" | append [| inputlookup DEFENDER.csv | eval type="Defender"] | eval computer = coalesce('Linux Computer', 'All Computer')
| stats ...

View solution in original post

0 Karma
Reply
Solved! Jump to solution

pgbr7
Explorer
‎04-30-2019 09:56 AM

Thanks man! Work !

0 Karma
Reply
Solved! Jump to solution
Solution

martin_mueller
SplunkTrust
SplunkTrust
‎04-27-2019 04:02 PM

You'll want lists looking like this:

computer,type
U-0050,Linux

Then you can search like this:

| inputlookup a.csv | inputlookup append=t b.csv
| stats values(type) as types by computer
| search NOT types="Linux"

If you can't change your lists you can turn them into this too:

| inputlookup LINUX.csv | eval type="Linux" | append [| inputlookup DEFENDER.csv | eval type="Defender"] | eval computer = coalesce('Linux Computer', 'All Computer')
| stats ...
0 Karma
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...