Solved: Re: Exclude Events Based on a Lookup

paddy3883 · ‎02-13-2013

I've written a query to find certain events in Splunk and I want to exclude any which match up with a set of values in a CSV lookup. For example for this query:

Type!=Information (*Example1* OR *Example2* OR "*Example with spaces*") earliest=-4h latest=-1m

And I've a CSV with the following values

ExcludeText

Test1

Test2
Test3

I want to exclude any events which contain the text in the CSV file. I've tried this but it doesn't filter them out:

Type!=Information (*\Example1* OR *Example2* OR "*Example with spaces*") earliest=-4h latest=-1m
[| inputlookup exclude_csv | fields ExcludeText]

Any ideas?

paddy3883 · ‎02-19-2013

I managed to get this working with this subsearch string

host=EXAMPLE earliest=-3h latest=-1h[ | inputlookup example_exclude| eval search="Message!=\""+ErrorText+"\"" | fields search ]

View solution in original post

paddy3883 · ‎02-19-2013

I managed to get this working with this subsearch string

host=EXAMPLE earliest=-3h latest=-1h[ | inputlookup example_exclude| eval search="Message!=\""+ErrorText+"\"" | fields search ]

Kate_Lawrence-G · ‎02-13-2013

When I do this I just something like:

host=* "string" NOT ([|inputlookup stuff.csv | fields ] )|

Exclude Events Based on a Lookup

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Data Management Digest – May 2026

Join the Conversation