topic Re: Why is my search no longer excluding results from a lookup table? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236195#M70161 <P>In the Job Inspector, you should be able to see what the expanded subsearch looks like (have a look for the section remoteSearch)</P> <P>It should look something like:</P> <PRE><CODE>index=test action=allowed app=smtp client_ip!=x.x.x.x | iplocation dest_ip | stats count values(Country) values(client_ip) by dest_ip | search NOT (dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x) </CODE></PRE> <P>That is, it will show the expanded subsearch. Is that how it looks?</P> Wed, 20 Jan 2016 09:52:51 GMT jplumsdaine22 2016-01-20T09:52:51Z Why is my search no longer excluding results from a lookup table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236190#M70156 <PRE><CODE>index=test action=allowed app=smtp client_ip!=x.x.x.x | iplocation dest_ip | stats count values(Country) values(client_ip) by dest_ip | search NOT [| inputlookup Email_exclusion] </CODE></PRE> <P>This is my search. I am trying to exclude the dest_ip from the lookup table from the search. It was working before and suddenly stopped. </P> <P>Any idea what could have gone wrong? </P> Tue, 19 Jan 2016 07:20:10 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236190#M70156 Meena_0627 2016-01-19T07:20:10Z Re: Why is my search no longer excluding results from a lookup table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236191#M70157 <P>What changed between when the search worked and when it suddenly stopped?</P> Tue, 19 Jan 2016 13:17:17 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236191#M70157 richgalloway 2016-01-19T13:17:17Z Re: Why is my search no longer excluding results from a lookup table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236192#M70158 <P>What do you get if you run the following search <CODE>| inputlookup Email_exclusion</CODE> ?</P> <P>Unless you get a single column table headed dest_ip then the search will not exclude values as you hope. There may be a problem with the lookup table. </P> Tue, 19 Jan 2016 15:11:52 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236192#M70158 jplumsdaine22 2016-01-19T15:11:52Z Re: Why is my search no longer excluding results from a lookup table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236193#M70159 <P>Yeah did that and I could see the results of my lookup table... </P> Wed, 20 Jan 2016 06:20:53 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236193#M70159 Meena_0627 2016-01-20T06:20:53Z Re: Why is my search no longer excluding results from a lookup table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236194#M70160 <P>I am not sure, it was working a week before.. the same query... but now i see no results though there are logs </P> Wed, 20 Jan 2016 06:21:32 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236194#M70160 Meena_0627 2016-01-20T06:21:32Z Re: Why is my search no longer excluding results from a lookup table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236195#M70161 <P>In the Job Inspector, you should be able to see what the expanded subsearch looks like (have a look for the section remoteSearch)</P> <P>It should look something like:</P> <PRE><CODE>index=test action=allowed app=smtp client_ip!=x.x.x.x | iplocation dest_ip | stats count values(Country) values(client_ip) by dest_ip | search NOT (dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x) </CODE></PRE> <P>That is, it will show the expanded subsearch. Is that how it looks?</P> Wed, 20 Jan 2016 09:52:51 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236195#M70161 jplumsdaine22 2016-01-20T09:52:51Z Re: Why is my search no longer excluding results from a lookup table? https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236196#M70162 <P>Here is how it looks like:</P> <P>search index=test action=allowed app=smtp client_ip!=x.x.x.x | iplocation dest_ip | stats count values(Country) values(client_ip) by dest_ip | search NOT ( ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) )</P> Tue, 29 Sep 2020 08:28:26 GMT https://community.splunk.com/t5/Splunk-Search/Why-is-my-search-no-longer-excluding-results-from-a-lookup-table/m-p/236196#M70162 Meena_0627 2020-09-29T08:28:26Z