Join the Conversation
- Find Answers
- :
- Apps & Add-ons
- :
- Splunk Development
- :
- Splunk Dev
- :
- filter out events from lookuptable
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
filter out events from lookuptable
Hi,
I have the correlation rule-Substantial Increase In Events enabled but I just want to fine tune this rule based on our environment.
I dont want this rule to fire when there is a match in the signature that is defined in the lookuptable "substantialincreasesignature.csv".
But as soon as I run this it is throwing an error,can you check out this for me.
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature| search IDS_Attacks.signature!=* [inputlookup substantialincreasesignature.csv]
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature as signatures AND NOT[|inputlookup substantialincreasesignature|fields signature]
Both search I tried but no results:(
Regards,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Give this a try
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]
Update
It could be the field names returned by the data model doesn't match the field name in lookup. Replace the inputlookup query with this in above
| inputlookup substantialincreasesignature | table signature | rename signature with ExactFieldNameFromDataModelResult]
To get the ExactFieldNameFromDataModelResult, run your base search and check the name of signature field.
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
somesoni2,
your query is working fine,but it is showing data that is present in the lookuptable 'substantialincreasesignature'.I dont want to see the data that I have specified in the lookup table.
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See the updated section of the answer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You say it's throwing an error - what error?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields IDS_Attacks.signature]
is showing results that is in lookuptable.
How to get the events that is not in the lookuptable?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
May 2026 Splunk Expert Sessions: Security & Observability
Network to App: Observability Unlocked [May & June Series]
SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...
