I am trying to remove logs based on a lookup. This is what I am using:
index=myindex "string_to_search_for" NOT
[inputlookup mylookup
| rename IP as host
| field host]
The end result is to exclude any logs that have the "host" field in the event. My inputlookup returns the correct value but my NOT statement isnt doing anything.
I am very new to Splunk so I am sure that I am missing something pretty easy.
Thanks for the help!
@rogueakula1 Can you try this?
index=myindex "string_to_search_for"
[ | inputlookup mylookup
| fields IP
| eval h="host"."!=".'IP'
| return 1000 $h]
If your number of hosts inside lookup are > 1000 just increase the number next to return command accordingly.
Your output query behind would become as follows, just a note != is less efficient and it would be impact your search performance
index=myindex "string_to_search_for" host!=ip_val1 OR host!=ip_val2 OR host!=ip_val3...
---
An upvote would be appreciated and Accept solution if it helps!
I managed to get the search working. I ended up using a rex field that extracted the IP address from my logs and then used the search NOT. Worked well. Thanks for the response!
index=myindex "string_to_search_for"
| rex field=_raw "from (?<IP>[0-9.-]+)"
| search NOT
[inputlookup mylookup
| field IP]