I have a splunk query which returns these 2 set of events.
1) domain_name="abc"
microservice_name="test"
message=[WEB] ERROR RESPONSE : NO_DOCUMENTS_FOUND ->
2) domain_name="abc"
microservice_name="test"
message=[WEB] ERROR RESPONSE : GUID_EXPIRED
my vtest.csv lookup looks like below:
domain_name; microservice_name; message
abc; test; NO_DOCUMENTS_FOUND
I am using the below query to exclude 1st set of events. I have created WILDCARD(message) match_type
| lookup vtest message OUTPUT message as exclude_message
| search NOT (exclude_message="*")
But it is not working, and I don't get any fields in "exclude_message" as well. kindly help.
1 Solution
