Solved: Compare multiple inputlookup's

aswanda · ‎04-08-2013

I am looking for a way to compare data from multiple inputlookup csv's. Each CSV has the same exact set of fieldnames (IP, Host, Title). I know that I can list all the data from one csv by running: | inputlookup table1.csv
but I would like to search multiple table's at once and compare the results from specific fields. Is this possible in Splunk?

I imagine it's doable using a subsearch but I haven't had much luck. Things like: | inputlookup table1.csv [ | inputlookup table2.csv ] doesn't seem to work.

Anyone have any thoughts on this?
Thanks in advance!

Ayn · ‎04-08-2013

You could probably do this using set diff. Something like

| set diff [|inputlookup table1.csv] [|inputlookup table2.csv]

(So, note that set diff is used at the very start of the search)

If you want to diff on specific fields, add | field yourfieldofinterest at the end of each subsearch.

View solution in original post

Ayn · ‎04-08-2013

You could probably do this using set diff. Something like

| set diff [|inputlookup table1.csv] [|inputlookup table2.csv]

(So, note that set diff is used at the very start of the search)

If you want to diff on specific fields, add | field yourfieldofinterest at the end of each subsearch.

Compare multiple inputlookup's

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!