I'm trying to exclude known issues from a search by using a lookup of exclusions. Our Splunk admins lock down alert creation so I can't hard code these exclusions in the search itself which generates alerts however I can make use of lookups which I'm able to edit as needed. The search fails to exclude my list of exclusions and I still see rows for data for the excluded values. The field name DELGROUP is the same name as returned in output from source.
Is there something wrong with this search or is there a better to accomplish exclusions/overrides?
index=perfmon (sourcetype=perfmon:oracle OR sourcetype=perfmon:mssql) source="*ggs_hb_vw_perf_mon" NOT ([| inputlookup dba_lookup_Exclusions.csv where (id=2) | fields exclude_name | rename exclude_name as DELGROUP]) DIFF>600
index=perfmon AND (sourcetype=perfmon:oracle OR sourcetype=perfmon:mssql) AND source="*ggs_hb_vw_perf_mon" AND DIFF>600 NOT [|inputlookup dba_lookup_Exclusions.csv | where id==2 | fields exclude_name | rename exclude_name AS DELGROUP]