Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Help with using lookups for combinations of values

neilsmith2
Explorer
‎08-31-2023 06:22 AM

I have a simple lookup file with two fields, user and host

user                                host

Bob                                   1

Dave                                  2

Karen                                 x

Sue                                     y


I want exclude any results from my search where there is any combination of host AND user where they match any value from the lookup.

For example, exclude any results where:

the user is Bob and the host is either 1, 2, x or y
the user is either Bob, Dave, Karen or Sue and the host is x 

I'm playing with this search, which appears to work but unsure if there's a flaw in my logic, or if there's a better way to do it?

 

 

index=proxy sourcetype="proxy logs"
user="*"

NOT ([| inputlookup lookup.csv  | fields user | format ] AND [| inputlookup lookup.csv  | fields host | format ])

| stats c by username, host

 

 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2023 07:38 AM

Try something like this

index=proxy sourcetype="proxy logs"
user="*"

NOT [| inputlookup lookup.csv  | eventstats values(host) as host | mvexpand host | format ]

| stats c by username, host
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...