https://community.splunk.com/t5/Splunk-Search/inputlookup-excluding-index/m-p/537419#M151926 <P>Thank you!&nbsp; It is working.</P> Wed, 27 Jan 2021 13:45:44 GMT jmo1 2021-01-27T13:45:44Z https://community.splunk.com/t5/Splunk-Search/inputlookup-excluding-index/m-p/537297#M151873 <P>&nbsp;I am trying to write a query that will ignore events in certain indexes (these indexes change over time).&nbsp; I have a CSV file with a single column that looks like this...</P><P>Index</P><P>a</P><P>b</P><P>c</P><P>&nbsp; &nbsp;NOTE: this is a simple example, it really has 25+ indexes</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">host=* NOT index=[| inputlookup Index.csv | fields Index]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp; This is my non-working attempt.&nbsp; The actual query is irrelevant (host=*), the point is that I want to ignore any hits where the index is in the CSV file (index!=a index!=b index!=c).</P><P>&nbsp;</P><P>Any help would be greatly appreciated.</P><P>&nbsp;</P> Tue, 26 Jan 2021 20:40:28 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-excluding-index/m-p/537297#M151873 jmo1 2021-01-26T20:40:28Z https://community.splunk.com/t5/Splunk-Search/inputlookup-excluding-index/m-p/537315#M151883 <P>You don't need the index=... and case is important, so use this</P><LI-CODE lang="markup">host=* NOT [ | inputlookup indexes.csv | rename Index as index ]</LI-CODE><P>Note the rename, as your column is Index, not index, so either change the column name in the table and just use | table index or go with the above</P><P>&nbsp;</P> Tue, 26 Jan 2021 21:32:17 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-excluding-index/m-p/537315#M151883 bowesmana 2021-01-26T21:32:17Z https://community.splunk.com/t5/Splunk-Search/inputlookup-excluding-index/m-p/537419#M151926 <P>Thank you!&nbsp; It is working.</P> Wed, 27 Jan 2021 13:45:44 GMT https://community.splunk.com/t5/Splunk-Search/inputlookup-excluding-index/m-p/537419#M151926 jmo1 2021-01-27T13:45:44Z