Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Inputlookup used twice in 1 search with a NOT

willadams
Contributor
‎08-23-2020 11:25 PM

I have a problem with a 2nd NOT inputlookup that doesn't work.  If I break out of the 2nd inputlookup and run this within SPL it works.  For example the following search would work

 

 

index=foo sourcetype=foosource
[| inputlookup mystuff.csv
| rename field1 AS interest
| fields interest
]
| search NOT interest IN ("*jump*","*sheet*","*hang*","*worry*")
| table interest

 

 

 however if I then move this into a lookup it ignores the CSV file and shows  me data that I have omitted

 

 

index=foo sourcetype=foosource
[| inputlookup mystuff.csv
| rename field1 AS interest
| fields interest
]
| search NOT [|inputlookup myexcludedstuff.csv | rename field1 AS interest | fields interest]
| table interest

 

 

 

 
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-24-2020 05:53 AM

Try adding format to the subsearch.

index=foo sourcetype=foosource
[| inputlookup mystuff.csv
| rename field1 AS interest
| fields interest
]
| search NOT [|inputlookup mystuff.csv | rename field1 AS interest | fields interest | format]
| table interest

 

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

willadams
Contributor
‎08-24-2020 10:49 PM

Apologies I have corrected the 2nd XML example (copy and paste fail).  I tried to add a | format to my subsearch but it still operates as though the NOT for the lookup doesn't exist.

 

 

index=foo sourcetype=foosource
[| inputlookup mystuff.csv
| rename field1 AS interest
| fields interest
]
| search NOT [|inputlookup myexcludedstuff.csv | rename field1 AS interest | fields interest | format]
| table interest

 

 
0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎08-25-2020 06:06 AM

Where is the XML?

Another format command may be needed.

index=foo sourcetype=foosource
[| inputlookup mystuff.csv
| rename field1 AS interest
| fields interest | format
]
| search NOT [|inputlookup myexcludedstuff.csv | rename field1 AS interest | fields interest | format]
| table interest

Or you can use a single statement

index=foo sourcetype=foosource
[| inputlookup mystuff.csv
| rename field1 AS interest
| fields interest | format
] 
NOT [|inputlookup myexcludedstuff.csv | rename field1 AS interest | fields interest | format]
| table interest

The objective is to turn each lookup table into a valid expression such as (interest="foo" OR interest="bar") and the final query becomes

index=foo sourcetype=foosource (interest="foo" OR interest="bar")
NOT (interest="baz" OR interest="bat")
| table interest

You can verify what the final query looks like in the search log.

Run each inputlookup command separately to verify the results are valid expressions.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...