I have a lookup table with Scheduled Tasks called Scheduled_Tasks, and only one column in it called "Task_Name". This matches the "TaskName" field in my events.
I need to do a search where I only display results where the TaskName field in events DOES NOT contain a value in the Scheduled_Tasks lookup table. I've looked at almost every question/answer on this topic and came up with this , however it is not excluding anything I have in the lookup table. What am I Doing wrong? Thank you!
index=myindex EventID=4698 NOT [|inputlookup Scheduled_Tasks | fields Task_Name]
index=myindex EventID=4698 NOT [|inputlookup Scheduled_Tasks |rename Task_Name as TaskName | fields TaskName]
try rename
I have been trying to add another column, but it's giving me different condition logic. Let's say I want to also filter it not just on a task name in CSV, but with EventCode included.
TaskName | EventCode |
Microsoft Edge | 4101 |
Firefox | 4101 |
I tried this:
AND NOT [ | inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode ]
However it doesn't give me what I want, it converts it to:
(NOT EventCode="4104" OR NOT "Microsoft Edge") (NOT EventCode="4104" OR NOT "Firefox"))
I want this:
AND NOT ((EventCode="4104" AND "Microsoft Edge") OR (EventCode="4104" AND "Firefox"))
index=myindex EventID=4698 NOT [|inputlookup Scheduled_Tasks |rename Task_Name as TaskName | fields TaskName]
try rename
That worked! Thank you 🙂