Hi all -
Relatively new to Splunk and have already attempted a number of methods from forums to perform this search to no avail.
I have a single Index of events and a single lookup table containing reference data. Events are tied to the Lookup Table via the source.item_id value in the event stream and the lookup_id field in the Lookup Table. I'm trying to find items that exist in the Lookup table that do NOT exist in the event stream and then list the lookup_output field (from the Lookup Table) .
The cleanest method seems to be something along these lines:
| inputlookup mtylookuptable | fields lookup_id, lookup_output | search NOT [search index=myindex | dedup event_id | table source.item_id | format]
Running each search independently seems to return the correct results. I opted to use "format" command to return a 'clean' list of the of source_item_ids.
The problem I'm running into is the results returned are always every value in the Lookup Table. Which I know is not right. Any thoughts / help appreciated.
... View more