https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-and-subsearch-to-exclude-results-in-a/m-p/617459#M214584 <P>I need to create a search and subsearch to exclude results in a query.&nbsp;</P> <P>the primary search is a lookup table. the subsearch is a query on events that extracts a field I want to use to join to the primary search. the common field is hostname.</P> <P>If a given hostname in the lookup table is found in the subsearch i want to discard it.</P> <P>&nbsp;</P> <P>primary search</P> <P>| inputlookup hosts.csv</P> <P>field = hostname</P> <P>output:</P> <P>host1</P> <P>host2</P> <P>host3</P> <P>subsearch</P> <P>index=abc message="for account" sourcetype=type1</P> <P>rex field=names"(?&lt;hostname&gt;\S+)</P> <P>field hostname</P> <P>output:</P> <P>host3</P> <P>&nbsp;</P> <P>I want the following output:</P> <P><U>hostname</U></P> <P>host1</P> <P>host2</P> <P>I want to discard host3 since its in the subquery.&nbsp;</P> <P>How do I correlate the searches to do this? I can't use&nbsp; a join because the hostname in the subsearch is not computed until the subquery is executed.&nbsp;</P> <P>Thanks in Advance.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 18 Oct 2022 13:59:05 GMT pc1234 2022-10-18T13:59:05Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-and-subsearch-to-exclude-results-in-a/m-p/617459#M214584 <P>I need to create a search and subsearch to exclude results in a query.&nbsp;</P> <P>the primary search is a lookup table. the subsearch is a query on events that extracts a field I want to use to join to the primary search. the common field is hostname.</P> <P>If a given hostname in the lookup table is found in the subsearch i want to discard it.</P> <P>&nbsp;</P> <P>primary search</P> <P>| inputlookup hosts.csv</P> <P>field = hostname</P> <P>output:</P> <P>host1</P> <P>host2</P> <P>host3</P> <P>subsearch</P> <P>index=abc message="for account" sourcetype=type1</P> <P>rex field=names"(?&lt;hostname&gt;\S+)</P> <P>field hostname</P> <P>output:</P> <P>host3</P> <P>&nbsp;</P> <P>I want the following output:</P> <P><U>hostname</U></P> <P>host1</P> <P>host2</P> <P>I want to discard host3 since its in the subquery.&nbsp;</P> <P>How do I correlate the searches to do this? I can't use&nbsp; a join because the hostname in the subsearch is not computed until the subquery is executed.&nbsp;</P> <P>Thanks in Advance.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 18 Oct 2022 13:59:05 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-and-subsearch-to-exclude-results-in-a/m-p/617459#M214584 pc1234 2022-10-18T13:59:05Z https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-and-subsearch-to-exclude-results-in-a/m-p/617460#M214585 <P>You wrote what you need to do - a search, a subsearch, and exclude (NOT).</P><LI-CODE lang="markup">| inputlookup hosts.csv where NOT [ index=abc message="for account" sourcetype=type1 | rex field=names"(?&lt;hostname&gt;\S+) ]</LI-CODE><P>It also can be done with a join, but that's not preferred.</P><LI-CODE lang="markup">| inputlookup hosts.csv | join type=left hostname [ index=abc message="for account" sourcetype=type1 | rex field=names"(?&lt;hostname&gt;\S+) ]</LI-CODE> Mon, 17 Oct 2022 23:58:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-create-a-search-and-subsearch-to-exclude-results-in-a/m-p/617460#M214585 richgalloway 2022-10-17T23:58:12Z