Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do you exclude an item from a lookup table and an additional condition?

yemyslf
Path Finder
‎02-28-2019 02:32 PM

I have a lookup table that I'm using to exclude some devices from search results. 

index = my_index  
    | lookup my_table local=true device_id OUTPUT device_id as ignore  
    | where isnull(ignore)

This works great, but I need to add an additional condition to only exclude devices if they are in the lookup table and the value of the field "code" = 0001. So an event shouldn't be excluded even if it is in the lookup table unless code=0001 and events with code=0001 should be included if they are not in the lookup table.

I've tried the following but this also removes all items where

 code=0001
index = my_index  
    | lookup my_table local=true device_id OUTPUT device_id as ignore  
    | where (isnull(ignore) AND code!=0001)

I assume this is a dumb mistake in my logic but can't figure out what I'm doing wrong?

0 Karma
Reply

integratorz
Path Finder
‎02-28-2019 05:14 PM

If you are looking to filter out events where ignore is null you can actually do this as well: ignore="*"

This essentially means ignore needs to have a value.

Also, to do the second filter I would do it this way:

index=my_index 
| lookup my_table local=true device_id OUTPUT device_id as ignore 
| search ignore="*" code!=0001

In the last line, anything after the search command implies AND

0 Karma
Reply

yemyslf
Path Finder
‎03-01-2019 05:37 AM

Thanks for the response. I'm actually trying to exclude events where the device_id is in my lookup table. So doing | search ignore="*" retrieves events that I want to exclude. Because "ignore" isn't a field on the other events, I can't do ignore !="*". I was using isnull(ignore) because that returns events where there is no ignore field.

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...