Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to develop a search to find what is NOT in a lookup table with another lookup comparison?

mgrosholz
Path Finder
‎05-11-2017 08:19 AM

I have two lookup tables and I want to search what is NOT in lookup2 but in lookup1.

I have tried:
... NOT [|inputlookup lookup2 ....]

So overall I have something like:

index=foo NOT [| inputlookup lookup2]
| lookup lookup1 fieldA
|... rest of search ...

But nothing works. Any tips?

Tags (2)
0 Karma
Reply

kamlesh_vaghela
SplunkTrust
SplunkTrust
‎05-16-2017 06:10 AM

Hi mgrosholz,
Can you please try this one??

index=foo NOT [| inputlookup lookup2 | return fieldX fieldY fieldZ ] [| inputlookup fieldA | return fieldA ]
|... rest of search ..

Here, I have used return command. For more info please check below URL.

https://docs.splunk.com/Documentation/Splunk/6.5.3/SearchReference/Return

Thanks
Kamlesh

0 Karma
Reply

mgrosholz
Path Finder
‎05-14-2017 08:51 AM

More clarification:
lookup1 and lookup2 have different fields respectively.

The goal is to:
- Have events from index=foo...
- Show only events that match fieldA in lookup1...
- Output fieldB and fieldC from lookup1...
- Remove events (or not see) that match fieldX, fieldY, and fieldZ in lookup2...

0 Karma
Reply

wenthold
Communicator
‎05-11-2017 12:20 PM

If you want to search index=foo for anything that matches lookup1, but remove any results from lookup2:

index=foo [ | inputlookup lookup1 | format ] | search NOT [| inputlookup lookup2 | format ]

If you're just trying to get results from index=foo, excluding anything from lookup2:

index=full NOT [ | inputlookup lookup2 | format ] | ....
0 Karma
Reply

mgrosholz
Path Finder
‎05-11-2017 11:38 AM

There is confusion with the title. The first lookup should not affect the second lookup.

I am looking at lookup1 and getting results. Then I am saying do not look at events that match lookup2.

0 Karma
Reply

somesoni2
Revered Legend
‎05-11-2017 09:22 AM

Try like this (assuming the field name that is common in all is fieldA)

index=foo [| inputlookup lookup1.csv | search NOT [| inputlookup lookup2.csv | table fieldA]]
|...rest of the search
0 Karma
Reply

mgrosholz
Path Finder
‎05-11-2017 11:09 AM

It doesn't pull anything. Checked the lookup, it was empty. So it should spit out results.

0 Karma
Reply

mgrosholz
Path Finder
‎05-11-2017 11:10 AM

I have been using the lookup command for lookup1 and it works great. I can read, compare, and pull fields. But I can't figure out how to say ignore lookup2 events.

0 Karma
Reply

somesoni2
Revered Legend
‎05-11-2017 11:41 AM

The subsearch | inputlookup lookup1.csv | search NOT [| inputlookup lookup2.csv | table fieldA] is suppose to give you events from lookup1 which are not in lookup2 (based on fieldA comparision). I would just run that first, validate the results and then add to your main search.

0 Karma
Reply

mgrosholz
Path Finder
‎05-11-2017 01:08 PM

No results with just the subsearch.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...