Solved: Compare multiple inputlookup's

aswanda · ‎04-08-2013

I am looking for a way to compare data from multiple inputlookup csv's. Each CSV has the same exact set of fieldnames (IP, Host, Title). I know that I can list all the data from one csv by running: | inputlookup table1.csv
but I would like to search multiple table's at once and compare the results from specific fields. Is this possible in Splunk?

I imagine it's doable using a subsearch but I haven't had much luck. Things like: | inputlookup table1.csv [ | inputlookup table2.csv ] doesn't seem to work.

Anyone have any thoughts on this?
Thanks in advance!

Ayn · ‎04-08-2013

You could probably do this using set diff. Something like

| set diff [|inputlookup table1.csv] [|inputlookup table2.csv]

(So, note that set diff is used at the very start of the search)

If you want to diff on specific fields, add | field yourfieldofinterest at the end of each subsearch.

View solution in original post

Ayn · ‎04-08-2013

You could probably do this using set diff. Something like

| set diff [|inputlookup table1.csv] [|inputlookup table2.csv]

(So, note that set diff is used at the very start of the search)

If you want to diff on specific fields, add | field yourfieldofinterest at the end of each subsearch.

Compare multiple inputlookup's

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!