Solved: CSV Lookup - Exclusions - Help Required.

driva · ‎05-20-2020

Hi guys,

I'm trying to work out what's wrong with my search (see below). I have a CSV lookup file with a list of names that I would like to exclude from the search results.

index=new RequestID=* NOT [| inputlookup User_Exclusions.csv | fields Exclude_User ] | stats count | rename count as Total

Any help is greatly appreciated!

Many thanks!

D

driva · ‎05-20-2020

Hi guys, I got it working - I was using format in the subsearch however the hiccup I made was that the 'field' Exclude_Users within the CSV did not quite match the Field within Splunk. I made the field of users I wanted to exclude match the field name within the CSV file and it all started working. Thanks for your help, much appreciated!

View solution in original post

driva · ‎05-20-2020

Hi guys, I got it working - I was using format in the subsearch however the hiccup I made was that the 'field' Exclude_Users within the CSV did not quite match the Field within Splunk. I made the field of users I wanted to exclude match the field name within the CSV file and it all started working. Thanks for your help, much appreciated!

rmmiller · ‎05-20-2020

You are missing the format command.

Take a look at this:
https://answers.splunk.com/answers/724348/excluding-a-list-of-ips-from-the-results.html

driva · ‎05-20-2020

Hi rmmiller, thanks for getting back to me. Unfortunately it does not work with '| format' added. It appears that the inputlookup works when run as an independent search but not as a subsearch.

richgalloway · ‎05-20-2020

Did you put | format in the subsearch or main search. It should be in the subsearch and it should have worked.

---
If this reply helps you, Karma would be appreciated.

CSV Lookup - Exclusions - Help Required.

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!