Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I compare multiple fields between two CSV files?

russell120
Communicator
‎09-11-2018 06:49 AM

Hi. I'm attempting to compare an inventory master list (lookup file) to a weekly inventory list (lookup file) displayed by Splunk to see if an unauthorized item has been added OR removed in the weekly list.

Example:
masterlookup.csv

device              hostname                  ip                      domain
router              router1234               111.11.11.111          usr.hey.spk
workstation         workstation1234          222.22.22.222          usr.hey.spk
printer             printer1234              123.12.12.123          usr.hey.spk
switch              switch1234               444.44.44.444          usr.hey.spk

week2lookup.csv

device         hostname         ip                 domain
router         router4321       211.11.11.111      usr.hey.spk
workstation    workstation1234  222.22.22.222      usr.hey.spk
printer        printer5678      999.99.99.999      usr.hey.spk

The two queries should search three fields (hostname, ip, domain) and return the router and printer device because their hostname and ip values do not match what is listed in the masterlookup.csv. I intend to have a panel display a table of what is added (the new router and printer in week2lookup.csv) and another to display what was removed (the router, printer, and switch in masterlookup.csv).

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

osakachan
Communicator
‎10-23-2018 10:54 PM

Maybe this solution is not efficient but is the first one I thought

 | inputlookup masterlookup.csv 
 | eval time="old"
 | append 
     [ | inputlookup week2lookup.csv 
     | eval time="new"]
 | stats count values(time) as when by hostname, device, ip, domain
 | search count=1 when=old

Changing the field's value in the last search you can have added or removed.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

osakachan
Communicator
‎10-23-2018 10:54 PM

Maybe this solution is not efficient but is the first one I thought

 | inputlookup masterlookup.csv 
 | eval time="old"
 | append 
     [ | inputlookup week2lookup.csv 
     | eval time="new"]
 | stats count values(time) as when by hostname, device, ip, domain
 | search count=1 when=old

Changing the field's value in the last search you can have added or removed.

0 Karma
Reply
Solved! Jump to solution

osakachan
Communicator
‎09-13-2018 04:18 AM

Maybe this solution is not efficient but is the first one I thought

| inputlookup masterlookup.csv 
| eval time="old"
| append 
    [ | inputlookup week2lookup.csv 
    | eval time="new"]
| stats count values(time) as when by hostname, device, ip, domain
| search count=1 when=old

Changing the field's value in the last search you can have added or removed.

Reply
Solved! Jump to solution

russell120
Communicator
‎10-23-2018 08:35 AM

@elpred0 Post this again as a new comment so that I can accept it as the answer.

0 Karma
Reply
Solved! Jump to solution

osakachan
Communicator
‎10-23-2018 11:03 PM

Done! Thank you @russell120 !!

0 Karma
Reply
Solved! Jump to solution

russell120
Communicator
‎10-23-2018 08:15 AM

This works!

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...