Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude combinations of values in lookup from search?

ilya
New Member
‎09-24-2021 02:19 PM

Hi, Team!

I have a rule:


index = example source = "Rule" | fields user, src_time, src_app, src, src_lat, src_long, src_city, src_country, dest_time, dest_app, dest, dest_lat, dest_long, dest_city, dest_country, distance, speed | stats count by dest, dest_app


And there is a lookup, in which the ip addresses and apps are indicated in two columns.

How can I exclude from the rule a bunch of ip and applications that are in the lookup?

 

Thank you for your time!

 

Labels (1)
Labels
0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-25-2021 12:45 AM

 

<<your search>> NOT ([ | inputlookup yourlookup.csv ])

I'm not sure the parentheses are necsssary but they won't hurt 😉

You might need to rename columns in the subsearch so they match field names from your search.

0 Karma
Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  &#x1f680; Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...