Hi, I am new at Splunk and I'm following the lab in Enriching Data with Lookups, where I'm requested to exclude a value using the Flter Lookup. I have a Lookup definition based on knonwusers.csv
In the video it doesn't explain or show any example for this specific field. I have tried the following:
user NOT (root OR mail OR apache)
user <> (root OR mail OR apache)
|inputlookup knownusers.csv |eval user NOT (root OR mail OR apache)
And nothing is working. Could you please tell me what am I doing wrong?
You could do something like this
| inputlookup knownusers.csv
| where NOT user IN ("root", "mail", "apache")
Although this might not be classed a filtering using a lookup.
Assuming you have a user field in your events, you could filter them like this
| lookup knownusers.csv user OUTPUT user AS found_user
| where isnull(found_user)
You could do something like this
| inputlookup knownusers.csv
| where NOT user IN ("root", "mail", "apache")
Although this might not be classed a filtering using a lookup.
Assuming you have a user field in your events, you could filter them like this
| lookup knownusers.csv user OUTPUT user AS found_user
| where isnull(found_user)