https://community.splunk.com/t5/Splunk-Search/Exclude-Events-Based-on-a-Lookup/m-p/30901#M6336 <P>I've written a query to find certain events in Splunk and I want to exclude any which match up with a set of values in a CSV lookup. For example for this query:</P> <P>Type!=Information (*Example1* OR *Example2* OR "*Example with spaces*") earliest=-4h latest=-1m</P> <P>And I've a CSV with the following values</P> <P>ExcludeText<BR /><BR /> Test1<BR /><BR /> Test2<BR /> Test3</P> <P>I want to exclude any events which contain the text in the CSV file. I've tried this but it doesn't filter them out:</P> <P>Type!=Information (*\Example1* OR *Example2* OR "*Example with spaces*") earliest=-4h latest=-1m<BR /> [| inputlookup exclude_csv | fields ExcludeText]</P> <P>Any ideas?</P> Wed, 13 Feb 2013 17:08:39 GMT paddy3883 2013-02-13T17:08:39Z https://community.splunk.com/t5/Splunk-Search/Exclude-Events-Based-on-a-Lookup/m-p/30901#M6336 <P>I've written a query to find certain events in Splunk and I want to exclude any which match up with a set of values in a CSV lookup. For example for this query:</P> <P>Type!=Information (*Example1* OR *Example2* OR "*Example with spaces*") earliest=-4h latest=-1m</P> <P>And I've a CSV with the following values</P> <P>ExcludeText<BR /><BR /> Test1<BR /><BR /> Test2<BR /> Test3</P> <P>I want to exclude any events which contain the text in the CSV file. I've tried this but it doesn't filter them out:</P> <P>Type!=Information (*\Example1* OR *Example2* OR "*Example with spaces*") earliest=-4h latest=-1m<BR /> [| inputlookup exclude_csv | fields ExcludeText]</P> <P>Any ideas?</P> Wed, 13 Feb 2013 17:08:39 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-Events-Based-on-a-Lookup/m-p/30901#M6336 paddy3883 2013-02-13T17:08:39Z https://community.splunk.com/t5/Splunk-Search/Exclude-Events-Based-on-a-Lookup/m-p/30902#M6337 <P>When I do this I just something like:</P> <P>host=* "string" NOT ([|inputlookup stuff.csv | fields <FIELD you="" want="" to="" exclude="">] )| </FIELD></P> Wed, 13 Feb 2013 19:50:53 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-Events-Based-on-a-Lookup/m-p/30902#M6337 Kate_Lawrence-G 2013-02-13T19:50:53Z https://community.splunk.com/t5/Splunk-Search/Exclude-Events-Based-on-a-Lookup/m-p/30903#M6338 <P>I managed to get this working with this subsearch string</P> <P>host=EXAMPLE earliest=-3h latest=-1h[ | inputlookup example_exclude| eval search="Message!=\""+ErrorText+"\"" | fields search ] </P> Tue, 19 Feb 2013 08:51:49 GMT https://community.splunk.com/t5/Splunk-Search/Exclude-Events-Based-on-a-Lookup/m-p/30903#M6338 paddy3883 2013-02-19T08:51:49Z