Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I Compare field values between Lookup Table and Sourcetype and find the Delta

SplunkDash
Motivator
‎03-09-2023 10:05 PM

Hello,

I am facing issues to find delta.

I have:

Lookup Table: testaccount_holder.csv

2 Field names in Lookup: account_no and cell

index=test Sourcetype =test_account

2 Field names :  account_no and cell

Now, need to compare Lookup table with  sourcetype using these 2 fields and find all the records/rows which are exist in Lookup table but not in sourcetype. This comparison is based on these 2 fields.

Any recommendations will be highly appreciated. Thank you so much.

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2023 10:09 PM

Try this

index=test sourcetype=test_account
| stats count by account_no cell
| lookup testaccount_holder.csv account_no cell OUTPUT account_no as found
| append [
  | inputlookup testaccount_holder.csv
]
| stats values(found) as found by account_no cell
| where isnull(found)

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2023 10:09 PM

Try this

index=test sourcetype=test_account
| stats count by account_no cell
| lookup testaccount_holder.csv account_no cell OUTPUT account_no as found
| append [
  | inputlookup testaccount_holder.csv
]
| stats values(found) as found by account_no cell
| where isnull(found)
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎07-19-2023 01:55 PM

Hello @bowesmana 

Delta created using following logic is not giving the right output.  Output from that delta I found basically what we can get if you run: 

| inputlookup testaccount_holder.csv

 

Any recommendations would be appreciated. Thank you!

Tags (1)
0 Karma
Reply
Solved! Jump to solution

SplunkDash
Motivator
‎03-09-2023 10:44 PM

Hello,

I have one more question related to this. I was trying show other fields which are present in Lookup Table and was using (| table account_no cell name address) at the end, but not showing up. Any recommendation will be highly appreciated. Thank you again.

index=test sourcetype=test_account
| stats count by account_no cell
| lookup testaccount_holder.csv account_no cell OUTPUT account_no as found
| append [
| inputlookup testaccount_holder.csv
]
| stats values(found) as found by account_no cell
| where isnull(found)| table account_no cell name address

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-10-2023 05:43 PM

After the stats command you will only have fields that are part of the stats, so in this case, found, account_no and cell. So, if you want to carry through address do this using the modified append and stats.

index=test sourcetype=test_account
| stats count by account_no cell
| lookup testaccount_holder.csv account_no cell OUTPUT account_no as found
``` So in the search above, you will have 3 fields
    account_no, cell and found
```
| append [
  | inputlookup testaccount_holder.csv
  ``` Now specify the fields you want from the lookup to pass through to the end result ```
  | fields account_no cell name address
]
``` and this stats command using wildcards, will carry through ANY of the fields you retain above ```
| stats values(*) as * by account_no cell
| where isnull(found)
| table account_no cell name address

 

Reply
Solved! Jump to solution

SplunkDash
Motivator
‎03-09-2023 10:29 PM

Hello,

Thank you so much for your quick response, truly appreciate it. Your SPL code is working as expected, AWESOME!!!

0 Karma
Reply
Solved! Jump to solution

bowesmana
SplunkTrust
SplunkTrust
‎03-09-2023 10:44 PM

Great! You will find this is a common pattern referred to as 'proving the negative', i.e. when the data does NOT contain what you are looking for, so you do the pattern of

1. Search Data
2. Set an indicator that it's present in data
3. Append the expected source of truth
4. Resolve the duplicates
5. Validate what is not present

Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...