<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How to reference csv subsearch results to exclude matching hostnames from main csv search results? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-to-reference-csv-subsearch-results-to-exclude-matching/m-p/133357#M27407</link>
    <description>&lt;P&gt;Hello Splunkers,&lt;BR /&gt;
I am successfully searching two indexes from two separate .csv files. Both indexes contain a 'similar' set of hostnames. I am searching index A for a particular list of hostnames that I would like to reference so that I can exclude any matching hostnames from index B. Anything with the field where Purpose2 has the word 'farm' in it needs to be excluded from both lists.&lt;BR /&gt;
I will eventually be joining the hostnames lists between indexes as one single master list but I need to exclude the list from Index A from both.&lt;/P&gt;

&lt;P&gt;Here is the search that identifies the list of hostnames from index A:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS hostname
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;search for index B which successfully returns a list of hostnames:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d CN=* | rename CN as hostname
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;How do I get index B search to "see" and exclude the search from index A?&lt;/P&gt;

&lt;P&gt;Thank you very much for any assistance.&lt;/P&gt;</description>
    <pubDate>Fri, 19 Sep 2014 20:02:05 GMT</pubDate>
    <dc:creator>lbogle</dc:creator>
    <dc:date>2014-09-19T20:02:05Z</dc:date>
    <item>
      <title>How to reference csv subsearch results to exclude matching hostnames from main csv search results?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-reference-csv-subsearch-results-to-exclude-matching/m-p/133357#M27407</link>
      <description>&lt;P&gt;Hello Splunkers,&lt;BR /&gt;
I am successfully searching two indexes from two separate .csv files. Both indexes contain a 'similar' set of hostnames. I am searching index A for a particular list of hostnames that I would like to reference so that I can exclude any matching hostnames from index B. Anything with the field where Purpose2 has the word 'farm' in it needs to be excluded from both lists.&lt;BR /&gt;
I will eventually be joining the hostnames lists between indexes as one single master list but I need to exclude the list from Index A from both.&lt;/P&gt;

&lt;P&gt;Here is the search that identifies the list of hostnames from index A:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS hostname
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;search for index B which successfully returns a list of hostnames:&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d CN=* | rename CN as hostname
&lt;/CODE&gt;&lt;/PRE&gt;

&lt;P&gt;How do I get index B search to "see" and exclude the search from index A?&lt;/P&gt;

&lt;P&gt;Thank you very much for any assistance.&lt;/P&gt;</description>
      <pubDate>Fri, 19 Sep 2014 20:02:05 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-reference-csv-subsearch-results-to-exclude-matching/m-p/133357#M27407</guid>
      <dc:creator>lbogle</dc:creator>
      <dc:date>2014-09-19T20:02:05Z</dc:date>
    </item>
    <item>
      <title>Re: How to reference csv subsearch results to exclude matching hostnames from main csv search results?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-reference-csv-subsearch-results-to-exclude-matching/m-p/133358#M27408</link>
      <description>&lt;P&gt;Try this&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt; index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d CN=* NOT [search  index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS CN| table CN]| rename CN as hostname
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Fri, 19 Sep 2014 20:10:02 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-reference-csv-subsearch-results-to-exclude-matching/m-p/133358#M27408</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2014-09-19T20:10:02Z</dc:date>
    </item>
    <item>
      <title>Re: How to reference csv subsearch results to exclude matching hostnames from main csv search results?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-to-reference-csv-subsearch-results-to-exclude-matching/m-p/133359#M27409</link>
      <description>&lt;P&gt;I think that did it! Thanks!&lt;/P&gt;</description>
      <pubDate>Tue, 23 Sep 2014 00:35:03 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-to-reference-csv-subsearch-results-to-exclude-matching/m-p/133359#M27409</guid>
      <dc:creator>lbogle</dc:creator>
      <dc:date>2014-09-23T00:35:03Z</dc:date>
    </item>
  </channel>
</rss>

