How to find out which field values from logs that ...

chlily · ‎08-27-2015

The abclogs index contains a field call "userid" and there is similar field "identity" in the file totalname.csv. Now I run the search as below to try to find out those userid which are not in the file totalname.csv

index=abclogs | stats count by userid | eval userid=lower(userid) | fields userid NOT [|inputlookup totalname.csv | eval identity=lower(identity) | fields identity]

Here is the result:
⚠ Error in 'fields' command: Invalid argument: 'identity='jamessmith'

No idea how to fix it.

woodcock · ‎08-28-2015

Like this:

index=abclogs | stats count by userid | eval userid=lower(userid) | search NOT [|inputlookup totalname.csv | eval identity=lower(identity) | fields identity]

And if you like, tack on | fields userid.

woodcock · ‎10-30-2015

Did this work?

pradeepkumarg · ‎08-27-2015

you will have to rename indentity as userid in your sub search



index=abclogs | stats count by userid | eval userid=lower(userid) | fields userid NOT [|inputlookup totalname.csv | eval identity=lower(identity) | rename identity as userid | table userid]

How to find out which field values from logs that are not found in a CSV file?

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk