https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81136#M20517 <P>Ayn - I probably should have bolded out the search that I was trying to use so that it was a little more clear and stood out. The search that I started out with is mentioned above for you to review, in my original post. Thanks for taking the time to try and help me.</P> Mon, 01 Jul 2013 20:19:18 GMT Darksynergy 2013-07-01T20:19:18Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81131#M20512 <P>I am trying to run a search that shows executibles that are run by any user on my network. Yet I want to exclude the search with typically run service .exe's and assocuated service user accounts. I have searched throughout the Splunk website and have done a fair amount of googling on how this can be done but had no success in my search. I have added what I have been trying to achieve below.</P> <P>Can anyone help me figure out how to achieve this?</P> <P>*.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT [| inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name")] | stats count by User_Name, Image_File_Name, host | sort count desc</P> Mon, 28 Sep 2020 14:13:16 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81131#M20512 Darksynergy 2020-09-28T14:13:16Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81132#M20513 <P>Could you try this</P> <P>your search query|where NOT [|inputcsv file.csv]</P> <P>in file.csv contains User_Name,Image_File_Name list. Please give it a try.</P> Mon, 28 Sep 2020 14:13:19 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81132#M20513 linu1988 2020-09-28T14:13:19Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81133#M20514 <P>Better yet, don't use the <CODE>where</CODE> statement.</P> <PRE><CODE>&lt;yoursearch&gt; NOT [|inputlookup ExclusionList.csv] </CODE></PRE> Mon, 01 Jul 2013 19:38:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81133#M20514 Ayn 2013-07-01T19:38:17Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81134#M20515 <P>Thank you both for your suggestions. I tried both and now seem to be getting an "unbalanced quote" error.</P> Mon, 01 Jul 2013 19:55:02 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81134#M20515 Darksynergy 2013-07-01T19:55:02Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81135#M20516 <P>What does your search look like? And if this problem occurs when you add your subsearch, run the subsearch on its own (without the brackets etc) and add "<CODE>| format</CODE>" at the end. This will show you the exact filter string that the subsearch will emit.</P> Mon, 01 Jul 2013 20:00:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81135#M20516 Ayn 2013-07-01T20:00:18Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81136#M20517 <P>Ayn - I probably should have bolded out the search that I was trying to use so that it was a little more clear and stood out. The search that I started out with is mentioned above for you to review, in my original post. Thanks for taking the time to try and help me.</P> Mon, 01 Jul 2013 20:19:18 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81136#M20517 Darksynergy 2013-07-01T20:19:18Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81137#M20518 <P>I tried running the subsearch on its own with the "| format" as you suggested and got the following error.</P> <P>Error in 'format' command: The '<RESULTSTART> <COLSTART> <COLSEPARATOR> <COLEND> <ROWSEPARATOR> <RESULTEND>' arguments must be specified together or not at all.*</RESULTEND></ROWSEPARATOR></COLEND></COLSEPARATOR></COLSTART></RESULTSTART></P> Mon, 01 Jul 2013 21:05:42 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81137#M20518 Darksynergy 2013-07-01T21:05:42Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81138#M20519 <P>Show the exact search you're running, please.</P> Mon, 01 Jul 2013 21:31:38 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81138#M20519 Ayn 2013-07-01T21:31:38Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81139#M20520 <P>Ayn:</P> <P>Original search:</P> <P>*.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT [| inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name")] | stats count by User_Name, Image_File_Name, host | sort count desc</P> <P>Running search as you suggested:</P> <P>inputlookup ExclusionList.csv | ("User_Name") OR ("Image_File_Name") | stats count by User_Name, Image_File_Name, host | sort count desc</P> Mon, 28 Sep 2020 14:13:27 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81139#M20520 Darksynergy 2020-09-28T14:13:27Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81140#M20521 <P>I don't see format there? Anyway, two errors that I can see right away: you're missing a pipe before inputlookup. Also after the first pipe you don't have a command at all? Just something that seems to be meant to be search filters?</P> Mon, 01 Jul 2013 21:55:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81140#M20521 Ayn 2013-07-01T21:55:14Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81141#M20522 <P>Thanks to all of you that gave me some pointers on a direction to go to with addressing my issue. I ended going with something a little less complex in regards to using a table as a lookup for exclusions. Because I was only going to be having 10-15 service accounts and services that I that needed to be excluded, I chose to go with the following:</P> <P><EM>**.exe NOT ("Specific-Service-Account") NOT ("Specific-Service-Account1") NOT ("dsmod.exe") NOT $ NOT (ServiceAccount OR WHATEVER.exe) NOT (ServiceAccount1 OR WHATEVER1.exe) NOT (ServiceAccount2 OR WHATEVER2.exe) NOT (ServiceAccount3 OR WHATEVER3.exe) | stats count by User_Name, Image_File_Name, host | sort count desc</EM>*</P> Mon, 28 Sep 2020 14:14:13 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81141#M20522 Darksynergy 2020-09-28T14:14:13Z https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81142#M20523 <P>You can add a flag to your lookup to tell the next part of the pipeline what to do.</P> <P>e.g.</P> <P>file.csv:<BR /> thing, exclude<BR /> some_user,1<BR /> other_user,1</P> <P>Define the lookup as minimum match = 1 and fill unmatched values with 0.</P> <P>then in your search</P> <PRE><CODE>event_stream| lookup yourlookup thing | search exclude=0 | do something to what's left </CODE></PRE> <P>much easier to maintain...</P> Mon, 28 Sep 2020 17:36:56 GMT https://community.splunk.com/t5/Splunk-Search/How-to-use-lookup-to-exclude-a-list-of-user-names-and-service/m-p/81142#M20523 cmeo 2020-09-28T17:36:56Z