Is it possible to exclude search results with two ...

subachu · ‎09-25-2019

Hi,all

I'm sorry but I use lookup for the first time.
Is it possible to exclude search results with two lookup files?

Create a host name lookup file. (HOST.csv)
Create a lookup file for the service name. (NAME.csv)

First, exclude the hostname first.

index = main source = host NOT [| inputlookup HOST.csv]

What type of search statement would you like to exclude further service names from this search result?

I thought like this.

(index = main source = host NOT [| inputlookup HOST.csv]) NOT [inputlookup NAME.csv]

Could you help me?

HiroshiSatoh · ‎09-25-2019

Try this!

 index = main source = host 
     NOT [| inputlookup HOST.csv] 
     NOT [| inputlookup NAME.csv]
↓
index=main source=host  NOT ( host=X OR host=y OR host=Z ) AND NOT (name=X OR name=y OR name=Z)

morethanyell · ‎09-25-2019

I noticed that your second inputlookup did not have a pipe. You might want to try doing 2 pipes of search such as

index=main
| search NOT [|inputlookup HOST.csv]
| search NOT [|inputlookup NAME.csv]

subachu · ‎09-26-2019

Thank you for helping me. I see. I need search command. Thank you so much!!

Is it possible to exclude search results with two lookup files?

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk

Are you a member of the Splunk Community?

Is it possible to exclude search results with two lookup files?

Splunk App for Anomaly Detection End of Life Announcment

Aligning Observability Costs with Business Value: Practical Strategies

Mastering Data Pipelines: Unlocking Value with Splunk