Hello Splunkers,
Just checking to see if this is possible or If I'm running into a limitation I didn't know about...
I have a very simple "source of truth" .csv file used as a lookup file. It has a single field with about 70 unique values. I am trying to compare that against a single field with about 60 of the same unique values in an index. I need remove the 60 values in the index from the 70 values in the lookup table so that only the 10 values that are not in the index remain. I had tried by using a simple |inputlookup NOT index field value NOT index field value NOT index field value
etc, but I am getting the error:
Error in 'inputlookup' command: Invalid argument: 'NOT'.
I'm guessing you can't NOT a lookup table. Is there some other equivalent command we can use for a lookup table?
Alternately, is there a way for me to accomplish this outside of a simple NOT statement?
Thanks!
Try this
| inputlookup lookupfile.csv | search NOT [search index=baseindex | stats count by matchingfield | fields - count ]
Like this:
<Your Base Search With 70 Values Here> NOT [|inputlookup <YouLookupDefinitionNameHere> | fields <YourFieldNameHere>]