Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How do I search and compare fields from two di...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tp92222
Explorer
02-02-2016
02:25 AM
I have two CSV files: dummy1 dummy2
dummy1 contains
server ip apps running
10.1.1.1 Firefox, oracle, skypee
10.2.2.2 outlook, chrome
10.2.1.1 Firefox, msoffice
dummy2 contains
Vulnerability_id apps affected
1 Firefox,chrome
2 Skype
This is my expected output:
server ip vern_apps vern_id
10.1.1.1 Firefox,skype 1,2
10.2.2.2 skype 2
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-02-2016
01:13 PM
Try something like this
| inputlookup dummy1.csv | makemv app_running delim="," | mvexpand app_running | rename app_running as app | join type=inner app [| inputlookup dummy2.csv | makemv app_affected delim="," | mvexpand app_affected | rename app_affected as app ] | table server_ip apps Vulnerability_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
lguinn2
Legend
02-02-2016
01:39 PM
Assuming that the field names are "server ip","apps running",Vulnerability_id, and "apps affected"
Try this
source=dummy2
| eval applist=`apps affected`
| makemv delim="," applist
| mvexpand applist
| eval appname=applist
| join appname max=0 [ search source=dummy1
| eval applist=`apps running`
| makemv delim="," applist
| mvexpand applist
| eval appname=applist ]
| stats count(Vulnerability_id) as count list(Vulnerability_id) list("apps running" ) by "server ip"
| where count > 0
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2
Revered Legend
02-02-2016
01:13 PM
Try something like this
| inputlookup dummy1.csv | makemv app_running delim="," | mvexpand app_running | rename app_running as app | join type=inner app [| inputlookup dummy2.csv | makemv app_affected delim="," | mvexpand app_affected | rename app_affected as app ] | table server_ip apps Vulnerability_id
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
tp92222
Explorer
02-03-2016
02:01 AM
Thank you. query solved my problem
Get Updates on the Splunk Community!
Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...
Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...
Splunk Observability for AI
Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...
🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler
From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0
mTLS wasn’t just a checkbox ...
