https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353677#M104668 <P>@somesoni2: thank you !! my base search(tstats) display results in table. Not sure how to use "NOT" after that.</P> Thu, 01 Feb 2018 20:20:37 GMT AKG1_old1 2018-02-01T20:20:37Z https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353673#M104664 <P>Hi, </P> <P>I am using one search query to extract list of data and I want to exclude those rows which are present in one csv file(lookup).</P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4292iBC708103FBCB6E25/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> <P><span class="lia-inline-image-display-wrapper" image-alt="alt text"><img src="https://community.splunk.com/t5/image/serverpage/image-id/4293i143EFDC9FF447E2B/image-size/large?v=v2&amp;px=999" role="button" title="alt text" alt="alt text" /></span></P> Thu, 01 Feb 2018 18:52:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353673#M104664 AKG1_old1 2018-02-01T18:52:37Z https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353674#M104665 <P>@agoyal, refer to @somesoni2's answer <A href="https://answers.splunk.com/answers/612603/how-to-search-what-values-are-missing-in-my-lookup.html">https://answers.splunk.com/answers/612603/how-to-search-what-values-are-missing-in-my-lookup.html</A> of marking the results coming from index vs lookup and then you can add a filter to only those coming from index.</P> <P>Following is a run anywhere example (instead of first pipe <CODE>| tstats</CODE> you can have your first search pulling data from index)</P> <PRE><CODE>| tstats count where index=_internal by sourcetype | eval from="data" | append[ | inputlookup sourcetypelist.csv | table sourcetype | eval count=0 | eval from="lookup"] | stats values(from) as from sum(count) as Total by sourcetype | search from="data" AND from!="lookup" </CODE></PRE> <P>You can also use <A href="http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Join#Optional_arguments">outer join (or left)</A> with <CODE>|inputlookup</CODE> as your first command and <CODE>index search</CODE> as second.</P> Thu, 01 Feb 2018 19:07:29 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353674#M104665 niketn 2018-02-01T19:07:29Z https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353675#M104666 <P>Generally, in this type of cases, you can just use lookup table to filter your data upfront, so that all you get is data no in lookup, like this</P> <PRE><CODE>your base search NOT [| inputlookup yourlookup.csv | table Fields For Filter] |..aggregation commans... </CODE></PRE> Thu, 01 Feb 2018 19:13:47 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353675#M104666 somesoni2 2018-02-01T19:13:47Z https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353676#M104667 <P>Thank you @niketnilay @somesoni2 . It worked for me. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 01 Feb 2018 20:17:58 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353676#M104667 AKG1_old1 2018-02-01T20:17:58Z https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353677#M104668 <P>@somesoni2: thank you !! my base search(tstats) display results in table. Not sure how to use "NOT" after that.</P> Thu, 01 Feb 2018 20:20:37 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353677#M104668 AKG1_old1 2018-02-01T20:20:37Z https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353678#M104669 <P>@agoyal , by base search @somesoni2 meant the first pipe with index and sourcetype where you will apply <BR /> second search for field values not in the lookup file i.e. <CODE>NOT [| inputlookup ....]</CODE><BR /> Unless your main search is on metadata fields, this is better approach where your events can be filtered in the base search itself. So do try out this approach (if your main query is not tstats) and confirm query performance.</P> <P>PS: Table generating command or transforming commands can be placed only after your base search.</P> Fri, 02 Feb 2018 01:25:32 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353678#M104669 niketn 2018-02-02T01:25:32Z https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353679#M104670 <P>Thank you for clarification. my main query is tstats. Other approach with append fits for my requirement. Thanks Again <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Fri, 02 Feb 2018 15:10:55 GMT https://community.splunk.com/t5/Splunk-Search/How-can-we-exclude-rows-which-are-present-in-another-table/m-p/353679#M104670 AKG1_old1 2018-02-02T15:10:55Z