Re: Exclude from search values from lookup table

braicu · ‎03-26-2019

Hello,

I have a lookup table which i test it like this :
|inputlookup approved_s3_buckets.csv

and display the column :
Bucket-Name
bucketname1
bucketname2
.....
bucketname50

And i have a search which display me :
Bucket-Name
bucketname1
bucketname2
bucketname3
bucketname100
buketname535353

I want to exclude from my search, the values of bucket names which are present into the lookup table approved_s3_buckets.csv .
(Something similar with Bucket-Name!=bucketname1 AND Bucket-Name!=bucketname2.... and so on)

adonio · ‎03-26-2019

hello there

try this out:
... your search ... NOT [ |inputlookup approved_s3_buckets.csv | fields approved_s3_buckets.csv | dedup approved_s3_buckets.csv | table approved_s3_buckets.csv]

for practice, try the following searches:
first, create a small fruit basket lookup:

| makeresults count=1
| eval fruits = "apple,banana,orange,lemon"
| makemv delim="," fruits
| mvexpand fruits
| outputlookup fruits.csv

then check its there:

| inputlookup fruits.csv

then add 2 extra fruits to the basket and verify they arent there:

| makeresults count=1
| eval fruits = "apple,banana,orange,lemon,melon,watermelon"
| makemv delim="," fruits
| mvexpand fruits
| search fruits = * NOT [| inputlookup fruits.csv | fields fruits | dedup fruits | table fruits ]

hope it helps

Exclude from search values from lookup table

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

Splunk Community Badges!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Join the Conversation