Solved: Exclude results from lookup table in search

tromero3 · ‎06-15-2020

I have a lookup table with Scheduled Tasks called Scheduled_Tasks, and only one column in it called "Task_Name". This matches the "TaskName" field in my events.

I need to do a search where I only display results where the TaskName field in events DOES NOT contain a value in the Scheduled_Tasks lookup table. I've looked at almost every question/answer on this topic and came up with this , however it is not excluding anything I have in the lookup table. What am I Doing wrong? Thank you!

index=myindex EventID=4698 NOT [|inputlookup Scheduled_Tasks | fields Task_Name]

to4kawa · ‎06-15-2020

index=myindex EventID=4698 NOT [|inputlookup Scheduled_Tasks |rename Task_Name as TaskName | fields TaskName]

try rename

View solution in original post

TurboTurtle · ‎03-02-2023

I have been trying to add another column, but it's giving me different condition logic. Let's say I want to also filter it not just on a task name in CSV, but with EventCode included.

TaskName	EventCode
Microsoft Edge	4101
Firefox	4101

I tried this:

AND NOT [ | inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode ]

However it doesn't give me what I want, it converts it to:

(NOT EventCode="4104" OR NOT "Microsoft Edge") (NOT EventCode="4104" OR NOT "Firefox"))

I want this:

AND NOT ((EventCode="4104" AND "Microsoft Edge") OR (EventCode="4104" AND "Firefox"))

to4kawa · ‎06-15-2020

index=myindex EventID=4698 NOT [|inputlookup Scheduled_Tasks |rename Task_Name as TaskName | fields TaskName]

try rename

tromero3 · ‎06-15-2020

That worked! Thank you 🙂

Exclude results from lookup table in search

lookup

User Groups | Upcoming Events!

Splunk Lantern | Spotlight on Security: Adoption Motions, War Stories, and More

Splunk Cloud | Empowering Splunk Administrators with Admin Config Service (ACS)