Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Getting Data In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How to correlate field values between an index...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
russell120
Communicator
01-22-2019
12:28 PM
Hi,
I have a CSV ( current_assets.csv) with fields device_name and ip (and tons of values for them). Here is an example:
device_name ip
router1 122.145.11.2
laptop2 11.121.44.55
How do I search my index ( sourcetype="device_assets") for the CSV IPs and return whether or not each IP is found within the index?
An example result would be:
device_name ip found
router1 122.145.11.2 Yes
laptop2 11.121.44.55 No
Important note: The solution CANNOT use |join command because this is very intensive/slow for my current deployment.
Thanks
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
01-22-2019
07:47 PM
@russell120 ,
Try
|inputlookup current_assets.csv|eval source="lookup"
| append [search index="your index" sourcetype="device_assets"|stats count by ip|fields ip|eval source="events"]
| stats values(device_name) as device_name , values(source) as source by ip|where mvcount(source) >1 OR source="lookup"
| eval found=if(mvcount(source)>1,"Yes","No")|fields - source
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
renjith_nair
Legend
01-22-2019
07:47 PM
@russell120 ,
Try
|inputlookup current_assets.csv|eval source="lookup"
| append [search index="your index" sourcetype="device_assets"|stats count by ip|fields ip|eval source="events"]
| stats values(device_name) as device_name , values(source) as source by ip|where mvcount(source) >1 OR source="lookup"
| eval found=if(mvcount(source)>1,"Yes","No")|fields - source
---
What goes around comes around. If it helps, hit it with Karma 🙂
What goes around comes around. If it helps, hit it with Karma 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
russell120
Communicator
01-23-2019
08:38 AM
This works, thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
bangalorep
Communicator
01-22-2019
07:46 PM
Hello,
You could usee the inputcsv command. The syntax would be sourcetype="device_assets" | inputcsv current_assets.csv
Documentation on this command https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Inputcsv
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
russell120
Communicator
01-23-2019
05:48 AM
This returns a "Error in 'inputcsv' command: This command must be the first command of a search" error.
Get Updates on the Splunk Community!
Combine Multiline Logs into a Single Event with SOCK - a Guide for Advanced Users
This article is the continuation of the “Combine multiline logs into a single event with SOCK - a step-by-step ...
Everything Community at .conf24!
You may have seen mention of the .conf Community Zone 'round these parts and found yourself wondering what ...
Index This | I’m short for "configuration file.” What am I?
May 2024 Edition
Hayyy Splunk Education Enthusiasts and the Eternally Curious!
We’re back with a Special ...
