I have a list of hosts in a lookup file called myhost.csv. I pipe my search results through this list to get a list of hosts that match those in my lookup file, however, I actually want Splunk to output a list of hosts from my lookupfile that DID NOT return results.
Does this make sense?
Something like this?
| inputlookup myhosts.csv | search NOT [search { whatever criteria } | fields host]
should do what you're looking for.
Something like this?
| inputlookup myhosts.csv | search NOT [search { whatever criteria } | fields host]
should do what you're looking for.
This was really close.
I had to use format to get it to work:
| inputlookup myhosts.csv | search NOT [search stuff | fields host | format ]
Is there an issue with adding a flag to the lookup file, using it as a lookup, then searching for events without the flag?