Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

input lookup

tkrprakash
Loves-to-Learn Lots
‎07-17-2025 10:57 PM

Hi All,

I have an input lookup file with 2 fields  first filed contains some path and the second filed is an httpcode for the path. 
example   :  /s/a/list   403  ; /s/b/list 504 

i need help to form a search query to exclude the fields in this input lookup file with matching the httpcode ; 

whe i run query with like

index=a and sourcetype=*b*  it needs to exclude the path and specific httpcode from the excel and siplay output for other paths and httpcodes. 

please help 

Labels (1)
Labels
Tags (1)
0 Karma
Reply

PrewinThomas
Motivator
‎07-17-2025 11:37 PM

@tkrprakash 

You can try below one,

index=a sourcetype=*b*
| lookup exclude_paths.csv path AS path httpcode AS httpcode OUTPUT path AS matched_path
| where isnull(matched_path)

Also you can try with subsearch

index=a sourcetype=*b*
NOT [ | inputlookup exclude_paths.csv | fields path httpcode ]


Regards,
Prewin
Splunk Enthusiast | Always happy to help! If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎07-17-2025 11:17 PM

Hi @tkrprakash ,

do you want to exclude from results events that match the full paths contained in the lookup or a part of it?

if you want to use the full path and you have two extracted fileds in your results called "path" and "http_code", you could run something like this:

index=a and sourcetype=*b* NOT [ | inputlookup your_lookup.csv | fields path http_code ]
| ...

if the fields in your main search have different names, you must rename them in the subsearch to be sure to match the field names from the main search.

If instead the path in the lookup must match only a part of the path field, you should run something like this:

index=a and sourcetype=*b* NOT [ | inputlookup your_lookup.csv | rename path AS query | fields query http_code ]
| ...

 Ciao.

Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...