Alerting

Hi Team, what is the search query to remove the first two rows from lookup table

aaa2324
Engager

Tried inputlookup=abc | search NOT “row value” ,, but still getting the rows 

I want to remove the entire two rows (first and second ) ; please help

Labels (1)
0 Karma

gcusello
Legend

Hi @aaa2324,

let me understand: do you want to have ad search results all the lookup rows but not the first two rows or to delete the first two rows of a lookup?

in first case, you could run something like this:

| inputlookup abc.csv start=2
| table *

in the second case, you have to add the outputlookup command at the end of the search, something like this:

| inputlookup abc.csv start=2
| table *
| outputlookup abc.csv

You can find more infos at https://docs.splunk.com/Documentation/Splunk/8.1.0/SearchReference/Inputlookup

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...