topic Exclude from search values from lookup table in Splunk Search https://community.splunk.com/t5/Splunk-Search/Exclude-from-search-values-from-lookup-table/m-p/380333#M111326 <P>Hello,</P> <P>I have a lookup table which i test it like this :<BR /> |inputlookup approved_s3_buckets.csv </P> <P>and display the column : <BR /> Bucket-Name<BR /> bucketname1<BR /> bucketname2<BR /> .....<BR /> bucketname50</P> <P>And i have a search which display me :<BR /> Bucket-Name<BR /> bucketname1<BR /> bucketname2<BR /> bucketname3 <BR /> bucketname100 <BR /> buketname535353</P> <P>I want to exclude from my search, the values of bucket names which are present into the lookup table approved_s3_buckets.csv .<BR /> (Something similar with Bucket-Name!=bucketname1 AND Bucket-Name!=bucketname2.... and so on)</P> Tue, 29 Sep 2020 23:52:30 GMT braicu 2020-09-29T23:52:30Z Exclude from search values from lookup table https://community.splunk.com/t5/Splunk-Search/Exclude-from-search-values-from-lookup-table/m-p/380333#M111326 <P>Hello,</P> <P>I have a lookup table which i test it like this :<BR /> |inputlookup approved_s3_buckets.csv </P> <P>and display the column : <BR /> Bucket-Name<BR /> bucketname1<BR /> bucketname2<BR /> .....<BR /> bucketname50</P> <P>And i have a search which display me :<BR /> Bucket-Name<BR /> bucketname1<BR /> bucketname2<BR /> bucketname3 <BR /> bucketname100 <BR /> buketname535353</P> <P>I want to exclude from my search, the values of bucket names which are present into the lookup table approved_s3_buckets.csv .<BR /> (Something similar with Bucket-Name!=bucketname1 AND Bucket-Name!=bucketname2.... and so on)</P> Tue, 29 Sep 2020 23:52:30 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-from-search-values-from-lookup-table/m-p/380333#M111326 braicu 2020-09-29T23:52:30Z Re: Exclude from search values from lookup table https://community.splunk.com/t5/Splunk-Search/Exclude-from-search-values-from-lookup-table/m-p/380334#M111327 <P>hello there</P> <P>try this out:<BR /> <CODE>... your search ... NOT [ |inputlookup approved_s3_buckets.csv | fields approved_s3_buckets.csv | dedup approved_s3_buckets.csv | table approved_s3_buckets.csv]</CODE></P> <P>for practice, try the following searches:<BR /> first, create a small fruit basket lookup:</P> <PRE><CODE>| makeresults count=1 | eval fruits = "apple,banana,orange,lemon" | makemv delim="," fruits | mvexpand fruits | outputlookup fruits.csv </CODE></PRE> <P>then check its there:</P> <P><CODE>| inputlookup fruits.csv</CODE></P> <P>then add 2 extra fruits to the basket and verify they arent there:</P> <PRE><CODE>| makeresults count=1 | eval fruits = "apple,banana,orange,lemon,melon,watermelon" | makemv delim="," fruits | mvexpand fruits | search fruits = * NOT [| inputlookup fruits.csv | fields fruits | dedup fruits | table fruits ] </CODE></PRE> <P>hope it helps</P> Wed, 27 Mar 2019 00:39:59 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-from-search-values-from-lookup-table/m-p/380334#M111327 adonio 2019-03-27T00:39:59Z