Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to exclude results from a search by referencing a lookup table?

ezmo1982
Path Finder
‎09-01-2020 08:00 AM

Hi,

I have a search that is returning values from certain fields of an index. I would like the search to use a lookup table and check if the values exist in the lookup table. If they do, I need them to be excluded from the search results.

My search term is below and returns 3 fields of the index in question:

index=duo
| fields user location.country location.city | table user location.country location.city

My lookup table is named locations.csv, which has 3 columns - user, country, city  So as an example, values for one row could be John France Paris . If the search returns a result where user=John, location.country=France and location.city=Paris, I want that to be excluded from the search results as it exists in the lookup file. 

It is important that all 3 values must exist on a row in the lookup file csv, for it to be excluded in the search results.

Can someone please help me on this?

Thanks!

Labels (2)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2020 08:19 AM

Try a subsearch.

index=duo NOT [ | inputlookup locations.csv | rename country as 'location.country', city as 'location.city' | fields user 'location.country' 'location.city' | format ]
| fields user location.country location.city | table user location.country location.city
---
If this reply helps you, Karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

rnowitzki
Builder
‎09-01-2020 08:30 AM

Hi @ezmo1982 ,

This should do it. I had to rename user, because I needed it to have another name as the one in the lookup and i had to replace the dot in location.city and location.country with a "_", because my where did not work correct when the fields had the dot (don't know why...)

| makeresults 
| eval user="John", location.country="France", location.city="Paris"
| rename user AS search_user, location.country AS location_country, location.city AS location_city
| appendcols [| inputlookup locations.csv]
| where NOT (location_country==country AND user==search_user AND location_city==city)
| fields user, location_country, location_city

You used need the lines starting with the rename command, the 2 above them where just to make up an event with a sample dataset.

Hope it works with your data.

BR
Ralph

 

--
Karma and/or Solution tagging appreciated.
0 Karma
Reply
Solved! Jump to solution
Solution

richgalloway
SplunkTrust
SplunkTrust
‎09-01-2020 08:19 AM

Try a subsearch.

index=duo NOT [ | inputlookup locations.csv | rename country as 'location.country', city as 'location.city' | fields user 'location.country' 'location.city' | format ]
| fields user location.country location.city | table user location.country location.city
---
If this reply helps you, Karma would be appreciated.
Reply
Get Updates on the Splunk Community!

Detecting Brute Force Account Takeover Fraud with Splunk

This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...

Buttercup Games: Further Dashboarding Techniques (Part 9)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...

Buttercup Games: Further Dashboarding Techniques (Part 8)

This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Top