https://community.splunk.com/t5/Splunk-Search/NOT-Statement-based-on-lookup-not-working/m-p/558080#M158508 <P>&nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236018">@rogueakula1</a>&nbsp;Can you try this?</P><P>&nbsp;</P><LI-CODE lang="markup">index=myindex "string_to_search_for" [ | inputlookup mylookup | fields IP | eval h="host"."!=".'IP' | return 1000 $h]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>If your number of hosts inside lookup are &gt; 1000 just increase the number next to return command accordingly.</P><P>Your output query behind would become as follows, just a note != is less efficient and it would be impact your search performance</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=myindex "string_to_search_for" host!=ip_val1 OR host!=ip_val2 OR host!=ip_val3...</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;---</P><P>An upvote would be appreciated and Accept solution if it helps!</P> Fri, 02 Jul 2021 03:01:37 GMT venkatasri 2021-07-02T03:01:37Z https://community.splunk.com/t5/Splunk-Search/NOT-Statement-based-on-lookup-not-working/m-p/558070#M158501 <P>I am trying to remove logs based on a lookup. This is what I am using:</P><P>&nbsp;</P><P>index=myindex "string_to_search_for" NOT</P><P>&nbsp; &nbsp; &nbsp;[inputlookup mylookup</P><P>&nbsp; &nbsp; &nbsp; | rename IP as host</P><P>&nbsp; &nbsp; &nbsp; | field host]</P><P>&nbsp;</P><P>The end result is to exclude any logs that have the "host" field in the event. My inputlookup returns the correct value but my NOT statement isnt doing anything.</P><P>I am very new to Splunk so I am sure that I am missing something pretty easy.</P><P>Thanks for the help!</P> Thu, 01 Jul 2021 20:28:01 GMT https://community.splunk.com/t5/Splunk-Search/NOT-Statement-based-on-lookup-not-working/m-p/558070#M158501 rogueakula1 2021-07-01T20:28:01Z https://community.splunk.com/t5/Splunk-Search/NOT-Statement-based-on-lookup-not-working/m-p/558080#M158508 <P>&nbsp;</P><P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236018">@rogueakula1</a>&nbsp;Can you try this?</P><P>&nbsp;</P><LI-CODE lang="markup">index=myindex "string_to_search_for" [ | inputlookup mylookup | fields IP | eval h="host"."!=".'IP' | return 1000 $h]</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>If your number of hosts inside lookup are &gt; 1000 just increase the number next to return command accordingly.</P><P>Your output query behind would become as follows, just a note != is less efficient and it would be impact your search performance</P><P>&nbsp;</P><P>&nbsp;</P><LI-CODE lang="markup">index=myindex "string_to_search_for" host!=ip_val1 OR host!=ip_val2 OR host!=ip_val3...</LI-CODE><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;---</P><P>An upvote would be appreciated and Accept solution if it helps!</P> Fri, 02 Jul 2021 03:01:37 GMT https://community.splunk.com/t5/Splunk-Search/NOT-Statement-based-on-lookup-not-working/m-p/558080#M158508 venkatasri 2021-07-02T03:01:37Z https://community.splunk.com/t5/Splunk-Search/NOT-Statement-based-on-lookup-not-working/m-p/558168#M158534 <P>I managed to get the search working. I ended up using a rex field that extracted the IP address from my logs and then used the search NOT. Worked well. Thanks for the response!&nbsp;</P><P>index=myindex "string_to_search_for"</P><P>| rex field=_raw "from (?&lt;IP&gt;[0-9.-]+)"</P><P>| search NOT</P><P>&nbsp; &nbsp; &nbsp;[inputlookup mylookup</P><P>&nbsp;&nbsp; &nbsp; &nbsp; | field IP]</P> Fri, 02 Jul 2021 14:42:47 GMT https://community.splunk.com/t5/Splunk-Search/NOT-Statement-based-on-lookup-not-working/m-p/558168#M158534 rogueakula1 2021-07-02T14:42:47Z