Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Splunk Search
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I search and compare fields from two di...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tp92222
Explorer
02-02-2016
02:25 AM
I have two CSV files: dummy1 dummy2
dummy1 contains
server ip apps running
10.1.1.1 Firefox, oracle, skypee
10.2.2.2 outlook, chrome
10.2.1.1 Firefox, msoffice
dummy2 contains
Vulnerability_id apps affected
1 Firefox,chrome
2 Skype
This is my expected output:
server ip vern_apps vern_id
10.1.1.1 Firefox,skype 1,2
10.2.2.2 skype 2
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-02-2016
01:13 PM
Try something like this
| inputlookup dummy1.csv | makemv app_running delim="," | mvexpand app_running | rename app_running as app | join type=inner app [| inputlookup dummy2.csv | makemv app_affected delim="," | mvexpand app_affected | rename app_affected as app ] | table server_ip apps Vulnerability_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
02-02-2016
01:39 PM
Assuming that the field names are "server ip","apps running",Vulnerability_id, and "apps affected"
Try this
source=dummy2
| eval applist=`apps affected`
| makemv delim="," applist
| mvexpand applist
| eval appname=applist
| join appname max=0 [ search source=dummy1
| eval applist=`apps running`
| makemv delim="," applist
| mvexpand applist
| eval appname=applist ]
| stats count(Vulnerability_id) as count list(Vulnerability_id) list("apps running" ) by "server ip"
| where count > 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-02-2016
01:13 PM
Try something like this
| inputlookup dummy1.csv | makemv app_running delim="," | mvexpand app_running | rename app_running as app | join type=inner app [| inputlookup dummy2.csv | makemv app_affected delim="," | mvexpand app_affected | rename app_affected as app ] | table server_ip apps Vulnerability_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tp92222
Explorer
02-03-2016
02:01 AM
Thank you. query solved my problem
Get Updates on the Splunk Community!
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...
Everything Community at .conf24!
You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...
Index This | I’m short for "configuration file.” What am I?
May 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with a Special ...
