Re: Exclude from search values from lookup table

braicu · ‎03-26-2019

Hello,

I have a lookup table which i test it like this :
|inputlookup approved_s3_buckets.csv

and display the column :
Bucket-Name
bucketname1
bucketname2
.....
bucketname50

And i have a search which display me :
Bucket-Name
bucketname1
bucketname2
bucketname3
bucketname100
buketname535353

I want to exclude from my search, the values of bucket names which are present into the lookup table approved_s3_buckets.csv .
(Something similar with Bucket-Name!=bucketname1 AND Bucket-Name!=bucketname2.... and so on)

adonio · ‎03-26-2019

hello there

try this out:
... your search ... NOT [ |inputlookup approved_s3_buckets.csv | fields approved_s3_buckets.csv | dedup approved_s3_buckets.csv | table approved_s3_buckets.csv]

for practice, try the following searches:
first, create a small fruit basket lookup:

| makeresults count=1
| eval fruits = "apple,banana,orange,lemon"
| makemv delim="," fruits
| mvexpand fruits
| outputlookup fruits.csv

then check its there:

| inputlookup fruits.csv

then add 2 extra fruits to the basket and verify they arent there:

| makeresults count=1
| eval fruits = "apple,banana,orange,lemon,melon,watermelon"
| makemv delim="," fruits
| mvexpand fruits
| search fruits = * NOT [| inputlookup fruits.csv | fields fruits | dedup fruits | table fruits ]

hope it helps

Exclude from search values from lookup table

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases

Are you a member of the Splunk Community?

Exclude from search values from lookup table

Building Reliable Asset and Identity Frameworks in Splunk ES

Cloud Monitoring Console - Unlocking Greater Visibility in SVC Usage Reporting

Automatic Discovery Part 3: Practical Use Cases