Re: Why am I getting "Error in 'inputlookup' comma...

lbogle · ‎06-23-2016

Hello Splunkers,

Just checking to see if this is possible or If I'm running into a limitation I didn't know about...
I have a very simple "source of truth" .csv file used as a lookup file. It has a single field with about 70 unique values. I am trying to compare that against a single field with about 60 of the same unique values in an index. I need remove the 60 values in the index from the 70 values in the lookup table so that only the 10 values that are not in the index remain. I had tried by using a simple |inputlookup NOT index field value NOT index field value NOT index field value etc, but I am getting the error:

Error in 'inputlookup' command: Invalid argument: 'NOT'.

I'm guessing you can't NOT a lookup table. Is there some other equivalent command we can use for a lookup table?
Alternately, is there a way for me to accomplish this outside of a simple NOT statement?
Thanks!

sundareshr · ‎06-24-2016

Try this

| inputlookup lookupfile.csv | search NOT [search index=baseindex | stats count by matchingfield | fields - count ]

woodcock · ‎06-23-2016

Like this:

<Your Base Search With 70 Values Here> NOT [|inputlookup <YouLookupDefinitionNameHere> | fields <YourFieldNameHere>]

Why am I getting "Error in 'inputlookup' command: Invalid argument: 'NOT'."?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation