Splunk Search

get uncommon results from two files

kavyatim
Path Finder

Hi ,

I am joining two files based on the common field, now i want results which are not common,
how do in get uncommon results from two files.

please find the query used below and help me to get the results that are not common among files:
source="geo.csv" | table city,latitude,longitude
|eval CITY=upper(city) | table CITY,latitude,longitude | rename CITY as Localidade | join Localidade [search source="Areas para CNL .csv"] | table Localidade,AT,latitude,longitude

I need only localidade which is not common between "geo.csv" and "Areas para CNL .csv"

Thanking you

Tags (1)
0 Karma
1 Solution

MuS
SplunkTrust
SplunkTrust

Hi kavyatim,

try something like this:

source="geo.csv" OR source="Areas para CNL .csv" | eval CITY=upper(city) | where CITY!=Localidade OR Localidade!=CITY | rename CITY as Localidade | table Localidade,AT,latitude,longitude

You don't need a join because you use two different fields from two different sources. Maybe you need to tune the where statement, I included both compares maybe you need just one. This is untested since I don't have your data.

hope this helps ...

cheers, MuS

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this (assuming you just need list of Localidade which are not common between two sources)

|set diff [search source="geo.csv" |eval Localidade=upper(city) | table Localidade] [search source="Areas para CNL .csv"] | table Localidade]

MuS
SplunkTrust
SplunkTrust

Hi kavyatim,

try something like this:

source="geo.csv" OR source="Areas para CNL .csv" | eval CITY=upper(city) | where CITY!=Localidade OR Localidade!=CITY | rename CITY as Localidade | table Localidade,AT,latitude,longitude

You don't need a join because you use two different fields from two different sources. Maybe you need to tune the where statement, I included both compares maybe you need just one. This is untested since I don't have your data.

hope this helps ...

cheers, MuS

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...