Is it possible to exclude search results with two ...

subachu · ‎09-25-2019

Hi,all

I'm sorry but I use lookup for the first time.
Is it possible to exclude search results with two lookup files?

Create a host name lookup file. (HOST.csv)
Create a lookup file for the service name. (NAME.csv)

First, exclude the hostname first.

index = main source = host NOT [| inputlookup HOST.csv]

What type of search statement would you like to exclude further service names from this search result?

I thought like this.

(index = main source = host NOT [| inputlookup HOST.csv]) NOT [inputlookup NAME.csv]

Could you help me?

HiroshiSatoh · ‎09-25-2019

Try this!

 index = main source = host 
     NOT [| inputlookup HOST.csv] 
     NOT [| inputlookup NAME.csv]
↓
index=main source=host  NOT ( host=X OR host=y OR host=Z ) AND NOT (name=X OR name=y OR name=Z)

morethanyell · ‎09-25-2019

I noticed that your second inputlookup did not have a pipe. You might want to try doing 2 pipes of search such as

index=main
| search NOT [|inputlookup HOST.csv]
| search NOT [|inputlookup NAME.csv]

subachu · ‎09-26-2019

Thank you for helping me. I see. I need search command. Thank you so much!!

Is it possible to exclude search results with two lookup files?

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Transform your security operations with Splunk Enterprise Security

Splunk Admins and App Developers | Earn a $35 gift card!