Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you exclude an item from a lookup table and an additional condition?

yemyslf
Path Finder
‎02-28-2019 02:32 PM

I have a lookup table that I'm using to exclude some devices from search results. 

index = my_index  
    | lookup my_table local=true device_id OUTPUT device_id as ignore  
    | where isnull(ignore)

This works great, but I need to add an additional condition to only exclude devices if they are in the lookup table and the value of the field "code" = 0001. So an event shouldn't be excluded even if it is in the lookup table unless code=0001 and events with code=0001 should be included if they are not in the lookup table.

I've tried the following but this also removes all items where

 code=0001
index = my_index  
    | lookup my_table local=true device_id OUTPUT device_id as ignore  
    | where (isnull(ignore) AND code!=0001)

I assume this is a dumb mistake in my logic but can't figure out what I'm doing wrong?

0 Karma
Reply

integratorz
Path Finder
‎02-28-2019 05:14 PM

If you are looking to filter out events where ignore is null you can actually do this as well: ignore="*"

This essentially means ignore needs to have a value.

Also, to do the second filter I would do it this way:

index=my_index 
| lookup my_table local=true device_id OUTPUT device_id as ignore 
| search ignore="*" code!=0001

In the last line, anything after the search command implies AND

0 Karma
Reply

yemyslf
Path Finder
‎03-01-2019 05:37 AM

Thanks for the response. I'm actually trying to exclude events where the device_id is in my lookup table. So doing | search ignore="*" retrieves events that I want to exclude. Because "ignore" isn't a field on the other events, I can't do ignore !="*". I was using isnull(ignore) because that returns events where there is no ignore field.

0 Karma
Reply
Get Updates on the Splunk Community!

Unlock Database Monitoring with Splunk Observability Cloud

  In today’s fast-paced digital landscape, even minor database slowdowns can disrupt user experiences and ...

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

At Cisco, purpose isn’t a tagline—it’s a commitment. Cisco’s FY25 Purpose Report outlines how the company is ...

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join us for a live Demo Day at the Cisco Store on January 21st 10:00am - 11:00am PST In the fast-paced world ...