Solved: Re: Exclude Events Based on a Lookup

paddy3883 · ‎02-13-2013

I've written a query to find certain events in Splunk and I want to exclude any which match up with a set of values in a CSV lookup. For example for this query:

Type!=Information (*Example1* OR *Example2* OR "*Example with spaces*") earliest=-4h latest=-1m

And I've a CSV with the following values

ExcludeText

Test1

Test2
Test3

I want to exclude any events which contain the text in the CSV file. I've tried this but it doesn't filter them out:

Type!=Information (*\Example1* OR *Example2* OR "*Example with spaces*") earliest=-4h latest=-1m
[| inputlookup exclude_csv | fields ExcludeText]

Any ideas?

paddy3883 · ‎02-19-2013

I managed to get this working with this subsearch string

host=EXAMPLE earliest=-3h latest=-1h[ | inputlookup example_exclude| eval search="Message!=\""+ErrorText+"\"" | fields search ]

View solution in original post

paddy3883 · ‎02-19-2013

I managed to get this working with this subsearch string

host=EXAMPLE earliest=-3h latest=-1h[ | inputlookup example_exclude| eval search="Message!=\""+ErrorText+"\"" | fields search ]

Kate_Lawrence-G · ‎02-13-2013

When I do this I just something like:

host=* "string" NOT ([|inputlookup stuff.csv | fields ] )|

Exclude Events Based on a Lookup

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

Preparing your Splunk Environment for OpenSSL3

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector