Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to table list of values from lookup NOT found in Splunk?

_gkollias
Builder
‎08-03-2015 06:54 AM

I have a lookup that lists x number of values. I would like to be able to discover how many of those aren't actually logged in Splunk and table them. Initially, I tried something like this:

inputlookup lookup_values.csv  NOT [search index=contract_gateway sourcetype=esb_audit bp_bp_name=* | fields *]
| table values
| dedup values

I am not getting any results, but I know I am missing results by the count of results I see when I pull all data that I can find in Splunk for that list of values.

Any insights on query enhancements would be greatly appreciated.

Thanks in Advance

Tags (3)
0 Karma
Reply

woodcock
Esteemed Legend
‎08-03-2015 07:14 AM

Let us assume both sets of data share a field called host, then do it like this:

index=contract_gateway sourcetype=esb_audit bp_bp_name=* | eval type=events
| appendpipe [|inputlookup lookup_values.csv | eval type=lookup]
| stats dc(type) AS numTypes values(*) AS * BY host
| where numTypes=1 AND type=events
Reply

_gkollias
Builder
‎08-03-2015 07:48 AM

Thanks, Woodcock

I attempted to run the search, however it's running extremely slow and I'm afraid of sucking the memory out of the indexer :). The values I am looking for are spread across a 120 day time range, so essentially I am running the query over "All time".

I'll try and come up with something similar to help with its performance.

0 Karma
Reply

woodcock
Esteemed Legend
‎08-03-2015 07:54 AM

I don't think there is much opportunity for optimization, unfortunately, but this approach should definitely work.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...