Re: NOT Statement based on lookup not working

rogueakula1 · ‎07-01-2021

I am trying to remove logs based on a lookup. This is what I am using:

index=myindex "string_to_search_for" NOT

[inputlookup mylookup

| rename IP as host

| field host]

The end result is to exclude any logs that have the "host" field in the event. My inputlookup returns the correct value but my NOT statement isnt doing anything.

I am very new to Splunk so I am sure that I am missing something pretty easy.

Thanks for the help!

venkatasri · ‎07-01-2021

@rogueakula1 Can you try this?

index=myindex "string_to_search_for" 
    [ | inputlookup mylookup 
    | fields IP 
    | eval h="host"."!=".'IP' 
    | return 1000 $h]

If your number of hosts inside lookup are > 1000 just increase the number next to return command accordingly.

Your output query behind would become as follows, just a note != is less efficient and it would be impact your search performance

index=myindex "string_to_search_for" host!=ip_val1 OR host!=ip_val2 OR host!=ip_val3...

---

An upvote would be appreciated and Accept solution if it helps!

rogueakula1 · ‎07-02-2021

I managed to get the search working. I ended up using a rex field that extracted the IP address from my logs and then used the search NOT. Worked well. Thanks for the response!

index=myindex "string_to_search_for"

| rex field=_raw "from (?<IP>[0-9.-]+)"

| search NOT

[inputlookup mylookup

| field IP]

NOT Statement based on lookup not working

other

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!