Solved: Return NOT matching events

munisb · ‎08-12-2021

Hi,

I am trying to return values that DO NOT MATCH the search between an index and .csv file

Ex - this returns the values that are good but i don't want to see these:

index=myindex TAGGING="*Agent*" | dedup DNS | join type=inner DNS [ | inputlookup linuxhostnames.csv | rename hostname as DNS]

whereas, I tried the following - this takes slightly longer to return the results but also returns only the matching values instead of the NOT MATCHING

| inputlookup linuxhostnames.csv | rename hostname as DNS | search NOT [search index=myindex| fields DNS | format ]

Will appreciate some guidance here.

Thank you

munisb · ‎08-12-2021

I don't get it why this works but it does:

| inputlookup linuxhostnames.csv | rename hostname as DNS | search [search index=myindex| fields DNS | format ]

Now, I only get results that DO NOT MATCH. However, the search is slow. Would there be a faster way to do this?

View solution in original post

munisb · ‎08-12-2021

I don't get it why this works but it does:

| inputlookup linuxhostnames.csv | rename hostname as DNS | search [search index=myindex| fields DNS | format ]

Now, I only get results that DO NOT MATCH. However, the search is slow. Would there be a faster way to do this?

Return NOT matching events

eval

join

Enterprise Security Content Update (ESCU) | New Releases

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We’ve Got Education Validation!