Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Search for items not matching values from a lookup

gohar
Explorer
‎05-24-2011 09:16 AM

Related to http://splunk-base.splunk.com/answers/7581/best-way-to-search-using-a-lookup-table

I want this inverse scenario that what is the best way to search across all of my data and ONLY show items from lookup tables NOT matching with field.

Tags (2)
Reply

dwaddle
SplunkTrust
SplunkTrust
‎05-24-2011 10:08 AM

This should be easily done with a NOT. Copying gkanapathy's original answer:

sourcetype=web NOT [ inputlookup iptable | fields src_ip | rename src_ip as souce_address ]
Reply

abhayneilam
Contributor
‎10-27-2012 10:53 AM

Hi,

I have a query like :

index="maa" |rex field="Location" (?(?i)"(abhay)") | eval ONE=lower(ONE) | stats count(ONE) by ONE

my output is coming:

abhay 10

if I give some other keyword which is not matching then it is not diplaying,my output should come as :

abhay 10
murari 0 ( 0 should come along with the keyword name "murari" if no keyword matches..

Please help me to get this one

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | A sphere has three, a circle has two, and a point has zero. What is it?

September 2023 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

Build Scalable Security While Moving to Cloud - Guide From Clayton Homes

 Clayton Homes faced the increased challenge of strengthening their security posture as they went through ...

Mission Control | Explore the latest release of Splunk Mission Control (2.3)

We’re happy to announce the release of Mission Control 2.3 which includes several new and exciting features ...