Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Exclude results from lookup table in search v2?

TurboTurtle
Engager
‎03-05-2023 06:47 PM

I'm trying to optimize my Splunk Windows Event Log dashboard, and wanted to add CSV exclusion file that would filter out some events that aren't necessary to monitor.

CSV file contents:

TaskName EventCode
Microsoft Edge 4101
Firefox 4101

 

To filter events, I tried this search query:

AND NOT [ | inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode ]

However it doesn't give me what I want, it converts search string to:

(NOT EventCode="4104" OR NOT "Microsoft Edge") (NOT EventCode="4104" OR NOT "Firefox"))

But I want this:

AND NOT ((EventCode="4104" AND "Microsoft Edge") OR (EventCode="4104" AND "Firefox"))

 

Is there an easy way of using "AND" OR "AND" for CSV inputlookup?

Labels (4)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-05-2023 07:03 PM

What you want is the default for a subsearch and I am guessing you are looking at the search.log showing the Expanded search line.

I think you will find the 

NOT (A AND B)

is the same as (NOT A OR NOT B)

as 

A+B is excluded (is both A AND B)
A+C is included (=NOT B)
B+C is included (=NOT A)

You can always see what your search is doing by running the subsearch with a format statement, i.e.

| inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode | format

and you will see that it is doing what you want

View solution in original post

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎03-05-2023 07:03 PM

What you want is the default for a subsearch and I am guessing you are looking at the search.log showing the Expanded search line.

I think you will find the 

NOT (A AND B)

is the same as (NOT A OR NOT B)

as 

A+B is excluded (is both A AND B)
A+C is included (=NOT B)
B+C is included (=NOT A)

You can always see what your search is doing by running the subsearch with a format statement, i.e.

| inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode | format

and you will see that it is doing what you want

Reply
Get Updates on the Splunk Community!

Splunk Security Content for Threat Detection & Response, Q1 Roundup

Join Principal Threat Researcher, Michael Haag, as he walks through:An introduction to the Splunk Threat ...

Splunk Life | Happy Pride Month!

Happy Pride Month, Splunk Community! 🌈 In the United States, as well as many countries around the ...

SplunkTrust | Where Are They Now - Michael Uschmann

The Background Five years ago, Splunk published several videos showcasing members of the SplunkTrust to share ...