topic Re: Lookup - How to compare and remove events from the search? in Splunk Search

Lookup - How to compare and remove events from the search?

bruno_eduardo — Tue, 29 Sep 2020 07:31:34 GMT

I need to remove a list of servers from my search. This list changes once a month so I thought of using a lookup table. Is it possible? How can I do it?

So in my index, there is a field Server_Name, and on my lookup table there is a field Server_Name_To_Be_Removed. What I need is to compare both fields and remove the events that match value of this field.

Index=Servers    MyBaseSearch   NOT Compared_Equal_Server_Name_To_Be_Removed=Yes

Re: Lookup - How to compare and remove events from the search?

chaker — Wed, 07 Oct 2015 14:43:08 GMT

Take a look at

http://answers.splunk.com/answers/93488/how-to-use-lookup-to-exclude-a-list-of-user-names-and-service-file-names.html

and

http://answers.splunk.com/answers/65646/how-to-use-a-lookup-csv-to-exclude-items-from-a-search.html

Use a NOT with the sub-search on the inputfile with the server names.

Re: Lookup - How to compare and remove events from the search?

bruno_eduardo — Tue, 29 Sep 2020 07:31:37 GMT

Sorry, but I still can't do it, there was no accepted answer on those posts.

What I am trying to do is:

index=* |fields Server_Name NOT [|inputlookup LookUpTable.csv append=f| fields Server_Name_To_Be_Removed] |Table Server_Name

But is not working

Re: Lookup - How to compare and remove events from the search?

chaker — Thu, 08 Oct 2015 04:25:26 GMT

What does the job inspector say?

It should show the expanded search that your subsearch creates.

Also, check that your lookupfile has been uploaded with the correct application context. Make sure that using <|inputlookup table> on its own gives you the contents of the lookup.

Re: Lookup - How to compare and remove events from the search?

somesoni2 — Thu, 08 Oct 2015 06:11:46 GMT

Check the field name in the lookup table. If it's same as as the field name available in base search (Server_Name) then add a rename command in your subsearch after fields command.

Re: Lookup - How to compare and remove events from the search?

bruno_eduardo — Tue, 29 Sep 2020 07:29:39 GMT

I Got it:

index="Servers" NOT [|inputlookup lookup_name | fields Server_Name] |table Server_Name

First you need to import the .csv file on Settings --> Lookups --> Add New --> Lookup File and the Lookup Definition

The important thing is: the field name must be the same.

Thanks

Re: Lookup - How to compare and remove events from the search?

jeffsegal — Wed, 09 May 2018 19:10:27 GMT

It worked, thank you for your help.