I'm trying to optimize my Splunk Windows Event Log dashboard, and wanted to add CSV exclusion file that would filter out some events that aren't necessary to monitor.
CSV file contents:
TaskName | EventCode |
Microsoft Edge | 4101 |
Firefox | 4101 |
To filter events, I tried this search query:
AND NOT [ | inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode ]
However it doesn't give me what I want, it converts search string to:
(NOT EventCode="4104" OR NOT "Microsoft Edge") (NOT EventCode="4104" OR NOT "Firefox"))
But I want this:
AND NOT ((EventCode="4104" AND "Microsoft Edge") OR (EventCode="4104" AND "Firefox"))
Is there an easy way of using "AND" OR "AND" for CSV inputlookup?
What you want is the default for a subsearch and I am guessing you are looking at the search.log showing the Expanded search line.
I think you will find the
NOT (A AND B)
is the same as (NOT A OR NOT B)
as
A+B is excluded (is both A AND B)
A+C is included (=NOT B)
B+C is included (=NOT A)
You can always see what your search is doing by running the subsearch with a format statement, i.e.
| inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode | format
and you will see that it is doing what you want
What you want is the default for a subsearch and I am guessing you are looking at the search.log showing the Expanded search line.
I think you will find the
NOT (A AND B)
is the same as (NOT A OR NOT B)
as
A+B is excluded (is both A AND B)
A+C is included (=NOT B)
B+C is included (=NOT A)
You can always see what your search is doing by running the subsearch with a format statement, i.e.
| inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode | format
and you will see that it is doing what you want