Splunk Search

How do I return values that unmatched column in Lookup table?

sabeqa
Engager

i am trying to search for urls that are not in my allowed list lookup csv , my csv file is named as url and has 1 column with a header called hostname, below is the search which gives a wrong output.

fgt_webfilter profile=* status=passthrough NOT [ inputlookup url ]

Tags (1)
0 Karma

richgalloway
SplunkTrust
SplunkTrust

Try this.

`fgt_webfilter` profile=* status=passthrough NOT [  | inputlookup url | format ]
---
If this reply helps you, Karma would be appreciated.

sabeqa
Engager

now i am getting an output but includes some wrong results, (urls in the csv are still appearing)

0 Karma

harsmarvania57
Ultra Champion

Hi @sabeqa,

Try this one fgt_webfilter profile=* status=passthrough NOT [ | inputlookup url | format ]

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...