Splunk Search

Why does inputlookup NOT fail to exclude rows?

Engager

I'm trying to exclude known issues from a search by using a lookup of exclusions. Our Splunk admins lock down alert creation so I can't hard code these exclusions in the search itself which generates alerts however I can make use of lookups which I'm able to edit as needed. The search fails to exclude my list of exclusions and I still see rows for data for the excluded values. The field name DELGROUP is the same name as returned in output from source.
Is there something wrong with this search or is there a better to accomplish exclusions/overrides?

index=perfmon (sourcetype=perfmon:oracle OR sourcetype=perfmon:mssql) source="*ggs_hb_vw_perf_mon" NOT ([| inputlookup dba_lookup_Exclusions.csv  where (id=2) | fields exclude_name | rename exclude_name as DELGROUP]) DIFF>600 
0 Karma
1 Solution

Engager

This my error, lookup name had a case error and was listed as

| inputlookup dbalookupexclusions.csv

and not

| inputlookup dbalookupExclusions.csv

View solution in original post

0 Karma

Engager

This my error, lookup name had a case error and was listed as

| inputlookup dbalookupexclusions.csv

and not

| inputlookup dbalookupExclusions.csv

View solution in original post

0 Karma

SplunkTrust
SplunkTrust

@cmille19 If your problem is resolved, please accept an answer to help future readers.

---
If this reply helps you, an upvote would be appreciated.
0 Karma

Esteemed Legend

Try this:

index=perfmon AND (sourcetype=perfmon:oracle OR sourcetype=perfmon:mssql) AND source="*ggs_hb_vw_perf_mon" AND DIFF>600
NOT [|inputlookup dba_lookup_Exclusions.csv  | where id==2 | fields exclude_name | rename exclude_name AS DELGROUP]
0 Karma