Splunk Search

Why is my search no longer excluding results from a lookup table?

New Member
index=test  action=allowed app=smtp client_ip!=x.x.x.x | iplocation dest_ip | stats count values(Country) values(client_ip) by dest_ip | search NOT [| inputlookup Email_exclusion]

This is my search. I am trying to exclude the dest_ip from the lookup table from the search. It was working before and suddenly stopped.

Any idea what could have gone wrong?

0 Karma

Influencer

What do you get if you run the following search | inputlookup Email_exclusion ?

Unless you get a single column table headed dest_ip then the search will not exclude values as you hope. There may be a problem with the lookup table.

0 Karma

New Member

Yeah did that and I could see the results of my lookup table...

0 Karma

Influencer

In the Job Inspector, you should be able to see what the expanded subsearch looks like (have a look for the section remoteSearch)

It should look something like:

index=test  action=allowed app=smtp client_ip!=x.x.x.x | iplocation dest_ip | stats count values(Country) values(client_ip) by dest_ip | search NOT (dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x OR dest_ip=x.x.x.x)

That is, it will show the expanded subsearch. Is that how it looks?

0 Karma

New Member

Here is how it looks like:

search index=test action=allowed app=smtp clientip!=x.x.x.x | iplocation destip | stats count values(Country) values(clientip) by destip | search NOT ( ( destip="x.x.x.x" ) OR ( destip="x.x.x.x" ) OR ( destip="x.x.x.x" ) OR ( destip="x.x.x.x" ) OR ( destip="x.x.x.x" ) OR ( destip="x.x.x.x" ) OR ( dest_ip="x.x.x.x" ) )

0 Karma

SplunkTrust
SplunkTrust

What changed between when the search worked and when it suddenly stopped?

---
If this reply helps you, an upvote would be appreciated.
0 Karma

New Member

I am not sure, it was working a week before.. the same query... but now i see no results though there are logs

0 Karma