Splunk Search

NOT Statement based on lookup not working

rogueakula1
Loves-to-Learn Lots

I am trying to remove logs based on a lookup. This is what I am using:

 

index=myindex "string_to_search_for" NOT

     [inputlookup mylookup

      | rename IP as host

      | field host]

 

The end result is to exclude any logs that have the "host" field in the event. My inputlookup returns the correct value but my NOT statement isnt doing anything.

I am very new to Splunk so I am sure that I am missing something pretty easy.

Thanks for the help!

Labels (1)
0 Karma

venkatasri
SplunkTrust
SplunkTrust

 

@rogueakula1 Can you try this?

 

index=myindex "string_to_search_for" 
    [ | inputlookup mylookup 
    | fields IP 
    | eval h="host"."!=".'IP' 
    | return 1000 $h]

 

 

If your number of hosts inside lookup are > 1000 just increase the number next to return command accordingly.

Your output query behind would become as follows, just a note != is less efficient and it would be impact your search performance

 

 

index=myindex "string_to_search_for" host!=ip_val1 OR host!=ip_val2 OR host!=ip_val3...

 

 

 ---

An upvote would be appreciated and Accept solution if it helps!

0 Karma

rogueakula1
Loves-to-Learn Lots

I managed to get the search working. I ended up using a rex field that extracted the IP address from my logs and then used the search NOT. Worked well. Thanks for the response! 

index=myindex "string_to_search_for"

| rex field=_raw "from (?<IP>[0-9.-]+)"

| search NOT

     [inputlookup mylookup

       | field IP]

0 Karma
*NEW* Splunk Love Promo!
Snag a $25 Visa Gift Card for Giving Your Review!

It's another Splunk Love Special! For a limited time, you can review one of our select Splunk products through Gartner Peer Insights and receive a $25 Visa gift card!

Review:





Or Learn More in Our Blog >>