https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120349#M32315 <P>It looks nearly identical to what I posted.</P> <PRE><CODE>| inputlookup folders | fields "Item ID", Path | search NOT [search index=folderevents | dedup event_id | table source.item_id | format] </CODE></PRE> Wed, 01 Apr 2015 16:08:12 GMT djn12313 2015-04-01T16:08:12Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120347#M32313 <P>Hi all -</P> <P>Relatively new to Splunk and have already attempted a number of methods from forums to perform this search to no avail.</P> <P>I have a single Index of events and a single lookup table containing reference data. Events are tied to the Lookup Table via the source.item_id value in the event stream and the lookup_id field in the Lookup Table. I'm trying to find items that exist in the Lookup table that do NOT exist in the event stream and then list the lookup_output field (from the Lookup Table) .</P> <P>The cleanest method seems to be something along these lines:</P> <P><CODE>| inputlookup mtylookuptable | fields lookup_id, lookup_output | search NOT [search index=myindex | dedup event_id | table source.item_id | format]</CODE></P> <P>Running each search independently seems to return the correct results. I opted to use "format" command to return a 'clean' list of the of source_item_ids.</P> <P>The problem I'm running into is the results returned are always <EM>every</EM> value in the Lookup Table. Which I know is not right. Any thoughts / help appreciated.</P> Fri, 05 Aug 2022 14:21:59 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120347#M32313 djn12313 2022-08-05T14:21:59Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120348#M32314 <P>Can you tell us the field names you are using in both your base search and the lookup table? Or post the actual search?</P> Wed, 01 Apr 2015 15:08:20 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120348#M32314 masonmorales 2015-04-01T15:08:20Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120349#M32315 <P>It looks nearly identical to what I posted.</P> <PRE><CODE>| inputlookup folders | fields "Item ID", Path | search NOT [search index=folderevents | dedup event_id | table source.item_id | format] </CODE></PRE> Wed, 01 Apr 2015 16:08:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120349#M32315 djn12313 2015-04-01T16:08:12Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120350#M32316 <P>Without seeing your data, I don't know which fields are supposed to match up, but I am guessing you aren't getting the expect results because your field names between the inputlookup and your data do not match.</P> Wed, 01 Apr 2015 16:16:44 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120350#M32316 masonmorales 2015-04-01T16:16:44Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120351#M32317 <P>Try this</P> <PRE><CODE>| inputlookup folders | fields "Item ID", Path | search NOT [search index=folderevents | dedup event_id | table source.item_id | rename source.item_id as "Item ID"| format] </CODE></PRE> Wed, 01 Apr 2015 17:25:58 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120351#M32317 somesoni2 2015-04-01T17:25:58Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120352#M32318 <P>Renaming the "Item ID" (what I also referred to in the original post as "lookup_id") to source.item_id ended up resolving this for me. </P> <P>Revised search looks like: </P> <PRE><CODE> | inputlookup folders | fields "Item ID", Path | rename "Item ID" as source.item_id | search NOT [search index=folderevents | dedup event_id | table source.item_id | format] </CODE></PRE> Mon, 28 Sep 2020 19:22:31 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120352#M32318 djn12313 2020-09-28T19:22:31Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120353#M32319 <P>It's strange. I tried renaming the field in the sub search first and couldn't get it to work. For some reason, however, it did work when I changed it in the inputlookup search per my comment above.</P> Wed, 01 Apr 2015 18:38:54 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120353#M32319 djn12313 2015-04-01T18:38:54Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120354#M32320 <P>Good to hear!</P> Wed, 01 Apr 2015 19:33:22 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/120354#M32320 masonmorales 2015-04-01T19:33:22Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/595610#M207292 <P>Hello All,&nbsp;<BR /><BR />I have a usecase of fetching list of hosts in an index but not listed in the lookup table.</P><P>For example: -<BR />indexA has 5 hosts: host1. host2. host3, host4, host5</P><P>In lookup table, we have two columns: -<BR />index<BR />host<BR /><BR /></P><TABLE border="1" width="100%"><TBODY><TR><TD width="50%"><STRONG>index</STRONG></TD><TD width="50%"><STRONG>host</STRONG></TD></TR><TR><TD width="50%">indexA</TD><TD width="50%">host1</TD></TR><TR><TD width="50%">indexA</TD><TD width="50%">host3</TD></TR></TBODY></TABLE><P>&nbsp;</P><P>Thus, as the result I need host2, host4, host5.&nbsp;<BR /><BR />It would be great to receive any inputs that helps to build the logic for the solution.</P><P>Thank you</P> Wed, 27 Apr 2022 15:37:40 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/595610#M207292 Taruchit 2022-04-27T15:37:40Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/598291#M208334 <P>Hello&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/158851">@djn12313</a>&nbsp;<BR /><BR />Your SPL works successfully to fetch records present in lookup table and not in index.&nbsp;</P><P>Can you please share if the same query can be extended to fetch the max(_time) of the events returned by the SPL? That means, displaying the events along with the time when they were last present in the index.</P><P>Thank you</P> Wed, 18 May 2022 11:34:12 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/598291#M208334 Taruchit 2022-05-18T11:34:12Z https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/608437#M211547 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/158851">@djn12313</a>&nbsp;,</P><P>I tried using the approach you shared in the above post, however, I am still getting results which are common in search results and lookup table.</P><LI-CODE lang="markup">|inputlookup table.csv |fields index, host | search NOT [search index="xxx" |rename orig_* AS * | dedup host | table index, ssc_division, host | format]</LI-CODE><P>In the index, field names are orig_host and orig_index, thus, used rename.&nbsp;</P><P>Thus, please share how I can get those results which are present in lookup table and not fetched in Splunk logs.</P><P>Thank you</P> Fri, 05 Aug 2022 12:35:04 GMT https://community.splunk.com/t5/Splunk-Search/How-to-search-Items-in-a-Lookup-Table-NOT-present-in-Index/m-p/608437#M211547 Taruchit 2022-08-05T12:35:04Z