https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547355#M155203 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233045">@Dalador</a>&nbsp;<BR /><BR />try like this:</P><P>&nbsp;</P><LI-CODE lang="c">(index IN (index1, index2)) EventCode=4698 [inputlookup scheduled_tasks |fields Arguments, Command | format "(" "(" "AND" ")" "NOT" ")"] | fillnull Arguments value="-" | rex field=_raw "(?P&lt;Command&gt;((?&lt;=\bCommand&gt;).*(?=&lt;)))" | rex field=_raw "(?P&lt;Arguments&gt;((?&lt;=\bArguments&gt;).*(?=&lt;)))" |table Command,Arguments |dedup Command,Arguments</LI-CODE><P>&nbsp;</P><P>Karma given or solution confirmation appreciated</P><P>Alessandro</P> Fri, 09 Apr 2021 12:36:33 GMT aasabatini 2021-04-09T12:36:33Z https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547334#M155189 <DIV class="lia-quilt-row lia-quilt-row-message-author"><DIV class="lia-quilt-column lia-quilt-column-04 lia-quilt-column-right lia-quilt-column-message-post-times-content"><DIV class="lia-quilt-column-alley lia-quilt-column-alley-right"><DIV class="lia-message-post-date lia-component-post-date lia-component-message-view-widget-post-date"><SPAN>I have a lookup table with Scheduled Tasks called scheduled_tasks, and Columns Command, Arguments.&nbsp;</SPAN></DIV></DIV></DIV></DIV><DIV class="lia-quilt-row lia-quilt-row-message-body"><DIV class="lia-quilt-column lia-quilt-column-24 lia-quilt-column-single lia-quilt-column-message-body-content"><DIV class="lia-quilt-column-alley lia-quilt-column-alley-single"><DIV class="lia-message-body lia-component-message-view-widget-body lia-component-body-signature-highlight-escalation lia-component-message-view-widget-body-signature-highlight-escalation"><DIV class="lia-message-body-content"><P>I need to do a search where I only display results where the Arguments, Command fields in events DOES NOT contain a value in the scheduled_tasks lookup table. Where it is going wrong? Thank you!<BR />My query is:&nbsp;</P><P>(index IN (index1, index2)) EventCode=4698 NOT [|inputlookup scheduled_tasks |fields Arguments, Command] | fillnull Arguments value="-" | rex field=_raw "(?P&lt;Command&gt;((?&lt;=\bCommand&gt;).*(?=&lt;)))" | rex field=_raw "(?P&lt;Arguments&gt;((?&lt;=\bArguments&gt;).*(?=&lt;)))" |table Command,Arguments |dedup Command,Arguments</P><P>&nbsp;</P><P>My lookup table:&nbsp;</P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="example3.png" style="width: 400px;"><img src="https://community.splunk.com/t5/image/serverpage/image-id/13688i202C267671A2EACA/image-size/medium?v=v2&amp;px=400" role="button" title="example3.png" alt="example3.png" /></span><P> </P></DIV></DIV></DIV></DIV></DIV> Fri, 09 Apr 2021 10:00:33 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547334#M155189 Dalador 2021-04-09T10:00:33Z https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547355#M155203 <P>HI&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233045">@Dalador</a>&nbsp;<BR /><BR />try like this:</P><P>&nbsp;</P><LI-CODE lang="c">(index IN (index1, index2)) EventCode=4698 [inputlookup scheduled_tasks |fields Arguments, Command | format "(" "(" "AND" ")" "NOT" ")"] | fillnull Arguments value="-" | rex field=_raw "(?P&lt;Command&gt;((?&lt;=\bCommand&gt;).*(?=&lt;)))" | rex field=_raw "(?P&lt;Arguments&gt;((?&lt;=\bArguments&gt;).*(?=&lt;)))" |table Command,Arguments |dedup Command,Arguments</LI-CODE><P>&nbsp;</P><P>Karma given or solution confirmation appreciated</P><P>Alessandro</P> Fri, 09 Apr 2021 12:36:33 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547355#M155203 aasabatini 2021-04-09T12:36:33Z https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547357#M155204 <P>Same result <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;</P> Fri, 09 Apr 2021 12:23:22 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547357#M155204 Dalador 2021-04-09T12:23:22Z https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547360#M155206 <P>hey&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233045">@Dalador</a>&nbsp;<BR /><BR />can you show me the results of this search?</P><P>&nbsp;</P><LI-CODE lang="markup">|inputlookup scheduled_tasks |fields Arguments, Command | format "(" "(" "AND" ")" "NOT" ")"</LI-CODE><P>&nbsp;</P><P>if the results is 0 please check if the permission of the lookup is set on&nbsp; global.</P> Fri, 09 Apr 2021 12:46:36 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547360#M155206 aasabatini 2021-04-09T12:46:36Z https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547364#M155208 <P>I rewrote my query:&nbsp;<BR />&nbsp; EventCode=4698 | fillnull Arguments value="-" | rex field=_raw "(?P&lt;Command&gt;((?&lt;=\bCommand&gt;).*(?=&lt;)))" | rex field=_raw "(?P&lt;Arguments&gt;((?&lt;=\bArguments&gt;).*(?=&lt;)))" |search NOT [|inputlookup scheduled_task |fields Arguments, Command]|table Task_Name, ComputerName,Command,_time,Arguments, Account_Name<BR /><BR />This works for me <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;</P> Fri, 09 Apr 2021 12:59:18 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-results-from-lookup-table-in-search/m-p/547364#M155208 Dalador 2021-04-09T12:59:18Z