Splunk Search

lookup csv file

kacel
New Member

good morning ,
i have some issues on splunk now if some one can help me ;
the is a discription of my csv :

|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |

so what i want to do is to ignore the line where Hostname == Parent and only from the side of Hostname what i mean is it can be a lot of values equal to V1 on Parent .but in hostname its apear one time
thank all.

Tags (1)
0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@kacel,

Are you looking for something similar ?

    | inputlookup your_lookup.csv
    | eventstats values(Parent) as _tmp
    | eval found=if(isnull(mvfind(_tmp,Hostname)),0,1)  | where found!=1
Happy Splunking!
0 Karma

kacel
New Member

i want to compare all values on colum Parent with Hostname values
and if there is an equal then ignore the first line and not all lines so in esult
|Hostname |VersionSoftware | Parent |
|V1 |xxxx |c1 |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

target
|Hostname |VersionSoftware | Parent |
|V2 |xxxx |c2 |
|V3 |xxxx |T3 |
|V4 |xxxx |V1 |
|V5 |xxxx |V1 |

0 Karma

sandeepmakkena
Contributor

| inputlookup my_csv
| eventstats values(Parent) as parent_tmp
| eval found=if(isnull(mvfind(parent_tmp,Host)),0,1) | where found!=1
| table Host Parent Version

This gives what you are looking for.

0 Karma

jkat54
SplunkTrust
SplunkTrust

| inputlookup yourlookup.csv
| where hostname!=parent

0 Karma

Richfez
SplunkTrust
SplunkTrust

If those are exactly right example, then case matters!

Working off this more or less perfect answer...

| inputlookup yourlookup.csv
| where Hostname!=Parent

give that a try!

If it doesn't work, please provide what it DOES give you back, and where it's wrong. And what you wanted instead.

Happy Splunking!
Rich

kacel
New Member

thank you for answer,
but your proposition doesnt work .
i had false result
i think that i must use a loop fixing hostname and iterating on parent .
thanks if u have something-eles

0 Karma

Richfez
SplunkTrust
SplunkTrust

@kacel, Please be careful to "Add comment" when replying to a particular answer instead of "Post Your Answer To This Question". I moved this comment to where it belongs for you.

Unless of course you found your own answer and are helping everyone else by writing it down here!

Anyway - no worries, it's not a big deal, just something to be careful of!

Happy Splunking,
Rich

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...