Hello splunk users, So I have a system that I am logging all errors to splunk. I have been getting a few false positives in my alert I setup. I have found the error in the message field and have updated my search to Include " NOT = 'ERROR1' NOT = 'ERROR2'. I have created a KNOWN_ERROR.CSV that looks like this: KNOWN_ERROR ERROR1 ERROR2 Here is my current search that works: index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error (SourceName=APP_NAME*) NOT 'ERROR1' NOT "ERROR2" | eval src=SourceName | table Message *The message field is the Windows Application Event Message sent from the application that includes the phrase ERROR 1 or ERROR 2. I have gotten some luck with this: index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error (SourceName=APP_NAME*) NOT [|inputlookup Known_Error.csv] When I inspect the job I find that the search is kinda working: Normalized Search: litsearch (index=* ((sourcetype="ms:iis:auto" s_computername="HOSTNAME*") OR (sourcetype="ms:iis:default" s_computername="HOSTNAME*") OR host="HOSTNAME*") source="WinEventLog:Application" Type=Error SourceName=APP_NAME* NOT Known_Error="ERROR1" NOT Known_Error="ERROR2") | litsearch (index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error SourceName=APP_NAME* NOT Known_Error="ERROR1" NOT Known_Error="ERROR2") | eval src=SourceName The issue looks like NOT includes Known_Error as the header of my CSV but I want that to be searching the Error in the Message Field. Hope you guys can help. ... View more