Getting Data In

How to reference csv subsearch results to exclude matching hostnames from main csv search results?

lbogle
Contributor

Hello Splunkers,
I am successfully searching two indexes from two separate .csv files. Both indexes contain a 'similar' set of hostnames. I am searching index A for a particular list of hostnames that I would like to reference so that I can exclude any matching hostnames from index B. Anything with the field where Purpose2 has the word 'farm' in it needs to be excluded from both lists.
I will eventually be joining the hostnames lists between indexes as one single master list but I need to exclude the list from Index A from both.

Here is the search that identifies the list of hostnames from index A:

index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS hostname

search for index B which successfully returns a list of hostnames:

index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d CN=* | rename CN as hostname

How do I get index B search to "see" and exclude the search from index A?

Thank you very much for any assistance.

Tags (3)
1 Solution

somesoni2
SplunkTrust
SplunkTrust

Try this

 index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d CN=* NOT [search  index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS CN| table CN]| rename CN as hostname

View solution in original post

somesoni2
SplunkTrust
SplunkTrust

Try this

 index=test_assets source="C:\\Splunk Test Assets\\AD-LDAP export.csv" earliest=-90d@d latest=-0d@d CN=* NOT [search  index=asset_db source="/var/asset_database/fullpull.csv" "Reporting Status"=Reporting "High Level Status"=Production "System Name"=* "Purpose2"=*Farm* | rename "System Name" AS CN| table CN]| rename CN as hostname

lbogle
Contributor

I think that did it! Thanks!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...