Solved: Why does inputlookup NOT fail to exclude rows?

cmille19 · ‎07-05-2019

I'm trying to exclude known issues from a search by using a lookup of exclusions. Our Splunk admins lock down alert creation so I can't hard code these exclusions in the search itself which generates alerts however I can make use of lookups which I'm able to edit as needed. The search fails to exclude my list of exclusions and I still see rows for data for the excluded values. The field name DELGROUP is the same name as returned in output from source.
Is there something wrong with this search or is there a better to accomplish exclusions/overrides?

index=perfmon (sourcetype=perfmon:oracle OR sourcetype=perfmon:mssql) source="*ggs_hb_vw_perf_mon" NOT ([| inputlookup dba_lookup_Exclusions.csv  where (id=2) | fields exclude_name | rename exclude_name as DELGROUP]) DIFF>600

cmille19 · ‎07-09-2019

This my error, lookup name had a case error and was listed as

| inputlookup dba_lookup_exclusions.csv

and not

| inputlookup dba_lookup_Exclusions.csv

View solution in original post

cmille19 · ‎07-09-2019

This my error, lookup name had a case error and was listed as

| inputlookup dba_lookup_exclusions.csv

and not

| inputlookup dba_lookup_Exclusions.csv

richgalloway · ‎07-09-2019

@cmille19 If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, Karma would be appreciated.

woodcock · ‎07-05-2019

Try this:

index=perfmon AND (sourcetype=perfmon:oracle OR sourcetype=perfmon:mssql) AND source="*ggs_hb_vw_perf_mon" AND DIFF>600
NOT [|inputlookup dba_lookup_Exclusions.csv  | where id==2 | fields exclude_name | rename exclude_name AS DELGROUP]

Why does inputlookup NOT fail to exclude rows?

Using Machine Learning for Hunting Security Threats

Observability Newsletter Highlights | March 2023

Security Newsletter Updates | March 2023