Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my inputlookup subsearch to return field values from the csv only if the values were not found?

TobiasBoone
Communicator
‎02-23-2015 07:08 AM 
index=audit /collect earliest=-300d [inputlookup serials2check | fields serial | multikv fields serial | rename serial as query]

This search works perfect for pulling a list of serial numbers that internal audit needs to check to see if they have been on our premise in the past 300 days. Pulls in a list of 300 plus serial numbers and essentially does a big OR statement in the middle from the csv.

What I would like to know is how to return the serial number from the csv input lookup ONLY IF it was not found. I've been scratching my head for a while and cannot get my head wrapped around how to invert this logic using the pipeline.

Reply

markthompson
Builder
‎02-25-2015 06:47 AM

Take a look at the Eval match, you could use a simple if statement,

eval Exists=if(match(Field,"REGEX"), TRUE, FALSE)

Then just table the ones where Exists is equal to false.

0 Karma
Reply

TobiasBoone
Communicator
‎02-25-2015 06:59 AM

I looked at the eval function and just can't figure out how to take a negative result from an individual subsearch item and return a value from it. If the serial numbers from the input list were a one to one ratio with what was in the assets index, I could just do a NOT, but unfortunately the assets index contains many more thousand. If this were more of an interative process perhaps it would be possible. Should the input lookup occur first passing the values into the search and then into the eval?

0 Karma
Reply

markthompson
Builder
‎02-25-2015 07:07 AM

In your lookup table, you might be able to use

eval Exists=if(match(Field,), TRUE, FALSE)

Which might pass the value through to the match statement, see if it can find it, then add a where clause just before your table.

0 Karma
Reply

somesoni2
Revered Legend
‎02-24-2015 02:28 PM

Could you please explain more about the requirement here? When do you want to return serial numbers from inputlookup?

0 Karma
Reply

TobiasBoone
Communicator
‎02-25-2015 06:31 AM

Scenario... take a list of serial numbers and see if they are actively checking into the asset management system logs. There are two parts to this report from central audit.
1. This is working -- see who is using the computer serial numbers and where.
2. This is what I am looking for -- show me those serial numbers from initial list that did not return results because they are missing...

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...