- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- how to get the list of non matching values of look...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
how to get the list of non matching values of lookup with search?
I have a search which will give list of a values for field A and I have a look up which has values for the same Field A ..I am trying to get the list of the non matching values inn the lookup
Example:
index=abc sourcetype=xyz |table ccid
OUTPUT
ccid
111
222
333
444
LOOKUP
|inutlookup data.csv
ccid
111
222
333
444
555
666
777
888
The query should give me all the values which are there in lookup but not in search
Final output
555
666
777
888
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
To find items in the lookup that have no corresponding events in the base search:
| inputlookup data.csv
| search NOT [search index=abc sourcetype=xyz |fields ccid | format ]
And a second option:
index=abc sourcetype=xyz
| eval from_base=1
| inputlookup append=true data.csv
| stats count, max(from_base) AS from_base by ccid
| where count=1 AND isnull(from_base)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This link has what exactly I am looking for
https://answers.splunk.com/answers/562185/compare-search-results-with-a-lookup-table-and-ide-1.html
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the size of the lookup is reasonable, this will work:
index=abc sourcetype=xyz NOT [| inputlookup data.csv | fields ccid]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you get to a point where the size of the lookup is dwarfing the size of the data returned by index=abc sourcetype=xyz, then you could switch to this:
index=abc sourcetype=xyz
| lookup data.csv ccid OUTPUT ccid AS found
| where isnull(found)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran the search and lookup separately the search has 125 and lookup has 149 values bu t when I ran your query it gives me no results
index=abc sourcetype=xyz ccid=*2 NOT [| inputlookup data.csv | fields ccid] -no results
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ahhh, my apologies. I read your request backwards. I was looking for events that did not match the lookup, rather than items in the lookup that do not match the events! I'll post a new answer now that matches your actual request.
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
