Solved: inputlookup excluding index

jmo1 · ‎01-26-2021

I am trying to write a query that will ignore events in certain indexes (these indexes change over time). I have a CSV file with a single column that looks like this...

Index

a

b

c

NOTE: this is a simple example, it really has 25+ indexes

host=* NOT index=[| inputlookup Index.csv | fields Index]

This is my non-working attempt. The actual query is irrelevant (host=*), the point is that I want to ignore any hits where the index is in the CSV file (index!=a index!=b index!=c).

Any help would be greatly appreciated.

bowesmana · ‎01-26-2021

You don't need the index=... and case is important, so use this

host=* NOT [ | inputlookup indexes.csv | rename Index as index ]

Note the rename, as your column is Index, not index, so either change the column name in the table and just use | table index or go with the above

View solution in original post

bowesmana · ‎01-26-2021

You don't need the index=... and case is important, so use this

host=* NOT [ | inputlookup indexes.csv | rename Index as index ]

Note the rename, as your column is Index, not index, so either change the column name in the table and just use | table index or go with the above

jmo1 · ‎01-27-2021

Thank you! It is working.

inputlookup excluding index

lookup

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!