Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to find values in a lookup table that do not appear in an index?

janderson19
Path Finder
‎08-10-2020 03:44 PM

Hello,

I have a lookup table that I've exported from another report using the fields IP_ADDRESS, CountOfUserID.

I'm trying to find IP Addresses in another index, msad, using primarily the fields ClientIP and UserId, which do not appear in the lookup table.

So, if IP_ADDRESS and ClientIP match, throw the data out, and return a list of the leftover IP_ADDRESS values.

I'm running into issues, where either the search will return the opposite of what I want (IP Addresses that appear in both datasets), or nothing at all.

Does anyone know how to work the logic on this? I feel like I've tried everything.

Thanks,

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-11-2020 12:10 PM

index=msad

| stats count  by ClientIP,UserId

| append [| inputlookup yourlookupname | stats c as l_count by IP_ADRESS | rename IP_ADDRESS as ClientIP]
| stats values(*) as * by ClientIP

| where isnull(count)

————————————
If this helps, give a like below.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

mraudaschl
Loves-to-Learn
‎09-21-2020 07:26 AM

hi Janderson19, 
I am trying to achieve the same thing but didn't have any luck so far. Were you successfull?

 

0 Karma
Reply
Solved! Jump to solution
Solution

thambisetty
SplunkTrust
SplunkTrust
‎08-11-2020 12:10 PM

index=msad

| stats count  by ClientIP,UserId

| append [| inputlookup yourlookupname | stats c as l_count by IP_ADRESS | rename IP_ADDRESS as ClientIP]
| stats values(*) as * by ClientIP

| where isnull(count)

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

thambisetty
SplunkTrust
SplunkTrust
‎08-13-2020 12:34 PM

@janderson19 

👍 is really appreciated 😁

————————————
If this helps, give a like below.
0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-11-2020 02:35 PM

index=msad | stats count  by ClientIP,UserId | lookup yourlookup IP_ADDRESS AS ClientIP OUTPUT CountOfUserID | where isnull(CountOfUserID)

 

 

0 Karma
Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎08-10-2020 05:49 PM

see the command reference and use AS clause.

lookup can use different field names.

0 Karma
Reply
Solved! Jump to solution

janderson19
Path Finder
‎08-11-2020 11:06 AM

Yeah. I got it to match the two datasets pretty easily, but what I'm having trouble with is finding events that *don't* appear in the index.

0 Karma
Reply
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...