Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to Print Id's which are not present in Index search?

RahulMisra
Engager
‎08-24-2023 06:45 AM

I have a lookup file( with one column combinedrules{}) which would be dynamic and i want to run a scheduled search to print ID's that are not present in the index search(has same column combinedrules{}).

 

Lookup File

combinedrules{}

324252

543246

search

 

 

Combinedrules{} Search(index) Inputlookup file
324252 No Yes
432324 No Yes
Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-24-2023 06:55 AM

Hi @RahulMisra,

you could try something like this:

index=your_index
| eval Combinedrules{}=lower(Combinedrules{})
| stats count BY Combinedrules{}
| append [ | inputlookup your_lookup.csv | eval Combinedrules{}=lower(Combinedrules{}), count=0, lookup_check="yes" | fields Combinedrules{} count lookup_check ]
| fillnull value="no" lookup_check
| stats 
   sum(count) AS total 
   values(lookup_check) AS lookup_check
   dc(lookup_check) AS lookup_check_count
   BY Combinedrules{}
| eval 
   search_index=if(total=0,"no","yes),
   lookup_check=if(lookup_check_count=1,lookup_check,"yes")
| table Combinedrules{} search_index lookup_check

Ciao.

Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-25-2023 04:13 AM

Just one last thing, i am getting desired results on stats ( as per my lookup file)

RahulMisra_1-1692961946831.png

 

but , events are not aliighning to stats

RahulMisra_0-1692961914095.png

RahulMisra_2-1692961999840.png

 

 

0 Karma
Reply
Solved! Jump to solution

aromanauskas
Path Finder
‎08-24-2023 04:08 PM

You have a couple different ways to do this.  if you have say 10000 items in the lookup table.. but 10Million in the index many of which are NOT in the lookup then you probably want to use it as part of the search. 

index=<indexname> [ | inputlookup <filename> | fields combinedrules{} | format] 
| append [ | inputlookup <filename> | eval sourcetype=lookupfile ]
|stats dc(sourcetype) AS sources by combinedrules{} 
| eval Search_Index=if(sources > 1,"Yes","No")
| eval Inputlookup_File = "Yes"

If you want to know if a value is IN the index but not the lookup file.. then: 

index=<indexname>
| append [ | inputlookup <filename> | eval sourcetype=lookupfile ]
|stats dc(sourcetype) AS sources values(sourcetype) AS sourcetype by combinedrules{} 
| eval Search_Index=if(sources > 1 OR NOT match(sourcetype,"(lookupfile)"),"Yes","No")
| eval Inputlookup_File =if(match(sourcetype,"(lookupfile)"),"Yes","No")
|fields combinedrules{},Search_Index,Inputlookup_File


0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 06:59 AM 
<index search>
| dedup combinedrules
| eval found="Index"
| append
  [| inputlookup lookupfile
  | eval found="Lookup"]
| chart count by combinedrules found
| where isnull(Index) OR (Index==0 AND Lookup==1)
0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-24-2023 08:59 AM

RahulMisra_0-1692892727012.png

No data coming in.

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎08-24-2023 09:32 AM

Are you using the correct field names? (Fieldnames are case-sensitive)

0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-24-2023 09:29 AM

I got some data after removing dedup

RahulMisra_0-1692895341985.png

 

combinedrules{}

3000041
959073
981248

 

I want to see what events are there is search which has these Id's.

 

This is the combined rules field containing on raw events : "combinedrules": ["3900006", "3900007", "3900013", "3900020", "3900021", "3900036", "970901"

 

Appreciate your help.

0 Karma
Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎08-24-2023 06:55 AM

Hi @RahulMisra,

you could try something like this:

index=your_index
| eval Combinedrules{}=lower(Combinedrules{})
| stats count BY Combinedrules{}
| append [ | inputlookup your_lookup.csv | eval Combinedrules{}=lower(Combinedrules{}), count=0, lookup_check="yes" | fields Combinedrules{} count lookup_check ]
| fillnull value="no" lookup_check
| stats 
   sum(count) AS total 
   values(lookup_check) AS lookup_check
   dc(lookup_check) AS lookup_check_count
   BY Combinedrules{}
| eval 
   search_index=if(total=0,"no","yes),
   lookup_check=if(lookup_check_count=1,lookup_check,"yes")
| table Combinedrules{} search_index lookup_check

Ciao.

Giuseppe

0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-24-2023 02:51 PM

getting error:

 

 Error in 'EvalCommand': The expression is malformed. Expected ).

0 Karma
Reply
Solved! Jump to solution

RahulMisra
Engager
‎08-25-2023 03:14 AM

@gcusello  I am getting the desired results.  Accepting the solution. 

 

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎08-25-2023 03:17 AM

Hi @RahulMisra ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...