Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

input lookup

tkrprakash
Loves-to-Learn Lots
‎07-17-2025 10:57 PM

Hi All,

I have an input lookup file with 2 fields  first filed contains some path and the second filed is an httpcode for the path. 
example   :  /s/a/list   403  ; /s/b/list 504 

i need help to form a search query to exclude the fields in this input lookup file with matching the httpcode ; 

whe i run query with like

index=a and sourcetype=*b*  it needs to exclude the path and specific httpcode from the excel and siplay output for other paths and httpcodes. 

please help 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PrewinThomas
Motivator
‎07-17-2025 11:37 PM

@tkrprakash 

You can try below one,

index=a sourcetype=*b*
| lookup exclude_paths.csv path AS path httpcode AS httpcode OUTPUT path AS matched_path
| where isnull(matched_path)

Also you can try with subsearch

index=a sourcetype=*b*
NOT [ | inputlookup exclude_paths.csv | fields path httpcode ]


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2025 11:17 PM

Hi @tkrprakash ,

do you want to exclude from results events that match the full paths contained in the lookup or a part of it?

if you want to use the full path and you have two extracted fileds in your results called "path" and "http_code", you could run something like this:

index=a and sourcetype=*b* NOT [ | inputlookup your_lookup.csv | fields path http_code ]
| ...

if the fields in your main search have different names, you must rename them in the subsearch to be sure to match the field names from the main search.

If instead the path in the lookup must match only a part of the path field, you should run something like this:

index=a and sourcetype=*b* NOT [ | inputlookup your_lookup.csv | rename path AS query | fields query http_code ]
| ...

 Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...