How to remove duplicate values from one index in a...

JoshuaJohn · ‎04-10-2018

I have an inputlookup that provides me a list of mac addresses, I want to remove those mac addresses from another index that contains some of the same lists in the inputlookup.

Here is my index where I do not want the mac addresses of the inputlookup to show up in.

index=Base456 WiFiMAC="*" earliest=0
| eval LPR = strptime(LastPolicyRequest, "%m/%d/%Y %I:%M:%S %p") 
| where LPR >= relative_time(now(),"-7d@h")
| table "WiFiMAC"
| dedup WiFiMAC

Here is my inputlookup I am looking to subtract from the index

| inputlookup BASE123.csv 
| rename u_wifi_mac_address as Mac_Address 
| search discovery_source="AWM" 
| table Mac_Address

I had trouble using join due to it being an inputlookup.

DalJeanis · ‎04-10-2018

You probably want something like ...

 index=Base456 WiFiMAC="*" earliest=0
 | eval LPR = strptime(LastPolicyRequest, "%m/%d/%Y %I:%M:%S %p") 
 | where LPR >= relative_time(now(),"-7d@h")
 | table "WiFiMAC"
 | dedup WiFiMAC 

 | rename COMMENT as "now we use the lookup as a lookup, and compare the results to what we want to drop" 
 | lookup BASE123.csv  u_wifi_mac_address as WiFiMAC OUTPUT discovery_source
 | where isnull(discovery_source) OR discovery_source!="AWM"

How to remove duplicate values from one index in another index?

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?

Are you a member of the Splunk Community?

How to remove duplicate values from one index in another index?

Leveraging Detections from the Splunk Threat Research Team & Cisco Talos

New in Splunk Observability Cloud: Automated Archiving for Unused Metrics

Calling All Security Pros: Ready to Race Through Boston?