Splunk Search

How can I remove entries from an existing lookup table?

ddrillic
Ultra Champion

I have a lookup table from which I need to remove a couple of lines. How can I do it?

Tags (2)
0 Karma
1 Solution

niketn
Legend

@ddrillic are you looking for inputlookup --> Filter Unwanted Results --> outputlookup?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn
Legend

@ddrillic are you looking for inputlookup --> Filter Unwanted Results --> outputlookup?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ddrillic
Ultra Champion

Right @niketnilay ; -) this one did it - | inputlookup <lookup name> | search host != host* | outputlookup <lookup name>

Based on How to remove a row from lookup table and update it?

@niketnilay - please convert to an answer.

manjunath_n
Engager

Have a similar requirement.

| inputlookup <lookup name> | search host != host* | outputlookup <lookup name>

We want to remove a guid record or line containing the guid from the lookup table so we should filter using = or != ?

| inputlookup abc | search guid= 123456 | outputlookup abc,  when tried with this ended up in updating only this record for the entire lookup , so ideally the query should be | inputlookup abc | search guid!= 123456 | outputlookup abc right? please clarify on the filtering of the result @ddrillic @niketn Thanks!

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...