Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Filter search result using a multi field looku...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to filter search result using a multi field lookup table?
So, I am trying to use a lookup table spammer.cvs to filter out results from my search but can't get the filtering logic down to make it work completely.
Table
A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}
fred@flintstone.com, ,tinker@sbuggy.com, , ,
,*@bbunny.com,mmouse@wd.com, , ,
,*@wd.com, ,*@bbunny.com, ,
, , , ,myemail@me.com
I can get this to work;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender]
| table _time, A1Sender, A2Sender
How do I code something like;
{my search}
| search NOT
[ | inputlookup spammer.csv
| fields A1Sender, A2Sender
| fields A1Sender_domain, A2Sender
| fields A1Sender_domain, A2Sender_domain
| fields Recipient{}]
| table _time, A1Sender, A2Sender
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If I am following you right, my search without any exclusions will return the fields A1Sender, A2Sender, Recipients{} plus some other fields not related to the lookup csv such as user, _time, src_ip ...
The csv contains A1Sender, A1Sender_domain, A2Sender, A2Sender_domain, Recipient{}. The data for each roll is manually added into the csv as they are discovered. Not every field is filled as in the example below.
A1Sender A1Sender_domain A2Sender A2Sender_domain Recipient{}
fred@flintstone.com tinker@sbuggy.com
*@bbunny.com, mmouse@wd.com
*@wd.com, *@bbunny.com,
myemail@me.com
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Please can you clarify what fields you want to use from the lookup table and which fields in your search you want them compared to?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A1Sender, A2Sender and Recipients{} are fields within the events.
I am looking to exclude anything in the lookup table from the results found in {mysearch}
If fields A1Sender, A2Sender contain values then omit them from the results. This works in the first example but getting the rest to work have been difficult.
If field Recipient{}] contain values then omit them from the results.
If field A1Sender_domain, A2Sender convert A1Sender_domain into A1Sender and use A2Sender to omit from results
If field A1Sender_domain, A2Sender_domain same as above by A2Sender_domain will be A2Sender.
Did that answer your question?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Which fields do you have in your lookup and which fields do you have returned by your event search?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Observability Simplified: Combining User Experience, Application Performance & ...
Event Series May & June: From Network Visibility to Service Intelligence
Global Splunk User Group Events: May + June 2026
