Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search to Correlate 2 different csv files.

krishnacasso
Path Finder
‎02-08-2017 10:22 AM

We have 2 different csv files under the same index and sourcetype.

csv1.csv-Fields[uniquenumber Name status]
csv2.csv-Fields[uniquenumber ID ]

I am trying to correlate csv files using uniquenumber,
we should have values for Name(csv1) & ID(csv2) and if we dint have same value I need to display in a table with details.

display a table like below,

uniquenumber Name ID
1 krishna krish

I am trying a search like below and it is not getting results which I need.

Can some one throw some light on this.
index=* sourcetype=csv | transaction uniquenumber | search Name!=ID | stats values(Name) values(ID) by dc(uniquenumber)

Thanks.

Tags (1)
0 Karma
Reply

DalJeanis
Legend
‎02-21-2017 01:24 PM

Your search Name!=ID is testing before you have collected those values together onto a single record with the stats command. As such, you are either going to get every record, or no records, depending on how splunk is handling comparison between non-nulls and nulls.

Also, trying to aggregate the stats by dc(uniquenumber) - the distinct count of that field, rather than by the field itself, makes no sense.

That's why praveenbandi's solution, changing the order of those two commands and doing stats by the field, should work for you.

woodcock's partial answer shows an efficient way of coding the same stats command, but at your level I'd suggest that praveenbandi's code is better practice for you, because you need to see and understand precisely what each line is doing, in order for you to master splunk most quickly.

0 Karma
Reply

woodcock
Esteemed Legend
‎02-21-2017 11:35 AM

Like this:

index=* sourcetype=csv | stats values(*) AS * BY uniquenumber
0 Karma
Reply

praveenbandi
Explorer
‎02-08-2017 10:27 AM

try this, base search | stats values(Name) as Name, values(ID) as ID by uniquenumber | search Name!=ID

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...