- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Lookup - How to compare and remove events from...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I need to remove a list of servers from my search. This list changes once a month so I thought of using a lookup table. Is it possible? How can I do it?
So in my index, there is a field Server_Name, and on my lookup table there is a field Server_Name_To_Be_Removed. What I need is to compare both fields and remove the events that match value of this field.
Index=Servers MyBaseSearch NOT Compared_Equal_Server_Name_To_Be_Removed=Yes
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I Got it:
index="Servers" NOT [|inputlookup lookup_name | fields Server_Name] |table Server_Name
First you need to import the .csv file on Settings --> Lookups --> Add New --> Lookup File and the Lookup Definition
The important thing is: the field name must be the same.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I Got it:
index="Servers" NOT [|inputlookup lookup_name | fields Server_Name] |table Server_Name
First you need to import the .csv file on Settings --> Lookups --> Add New --> Lookup File and the Lookup Definition
The important thing is: the field name must be the same.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What does the job inspector say?
It should show the expanded search that your subsearch creates.
Also, check that your lookupfile has been uploaded with the correct application context. Make sure that using <|inputlookup table> on its own gives you the contents of the lookup.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Take a look at
and
http://answers.splunk.com/answers/65646/how-to-use-a-lookup-csv-to-exclude-items-from-a-search.html
Use a NOT with the sub-search on the inputfile with the server names.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, but I still can't do it, there was no accepted answer on those posts.
What I am trying to do is:
index=* |fields Server_Name NOT [|inputlookup LookUpTable.csv append=f| fields Server_Name_To_Be_Removed] |Table Server_Name
But is not working
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It worked, thank you for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check the field name in the lookup table. If it's same as as the field name available in base search (Server_Name) then add a rename command in your subsearch after fields command.
Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey
Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...
Monitoring Amazon Elastic Kubernetes Service (EKS)
