Solved: Return NOT matching events

munisb · ‎08-12-2021

Hi,

I am trying to return values that DO NOT MATCH the search between an index and .csv file

Ex - this returns the values that are good but i don't want to see these:

index=myindex TAGGING="*Agent*" | dedup DNS | join type=inner DNS [ | inputlookup linuxhostnames.csv | rename hostname as DNS]

whereas, I tried the following - this takes slightly longer to return the results but also returns only the matching values instead of the NOT MATCHING

| inputlookup linuxhostnames.csv | rename hostname as DNS | search NOT [search index=myindex| fields DNS | format ]

Will appreciate some guidance here.

Thank you

munisb · ‎08-12-2021

I don't get it why this works but it does:

| inputlookup linuxhostnames.csv | rename hostname as DNS | search [search index=myindex| fields DNS | format ]

Now, I only get results that DO NOT MATCH. However, the search is slow. Would there be a faster way to do this?

View solution in original post

munisb · ‎08-12-2021

I don't get it why this works but it does:

| inputlookup linuxhostnames.csv | rename hostname as DNS | search [search index=myindex| fields DNS | format ]

Now, I only get results that DO NOT MATCH. However, the search is slow. Would there be a faster way to do this?

Return NOT matching events

eval

join

.conf25 Community Recap

Splunk App Developers | .conf25 Recap & What’s Next

Congratulations to the 2025-2026 SplunkTrust!

Are you a member of the Splunk Community?