×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
cmille19
Engager
Member since: ‎07-05-2019
‎06-05-2020
Community Statistics
Posts 2
Solutions 1
Karma Given 0
Karma Received 0
Member Since ‎07-05-2019
View All

Re: Why does inputlookup NOT fail to exclude rows?

by in Splunk Search
‎07-09-2019 10:10 AM
‎07-09-2019 10:10 AM
This my error, lookup name had a case error and was listed as | inputlookup dba_lookup_exclusions.csv and not | inputlookup dba_lookup_Exclusions.csv ... View more

Why does inputlookup NOT fail to exclude rows?

by in Splunk Search
‎07-05-2019 06:37 AM
‎07-05-2019 06:37 AM
I'm trying to exclude known issues from a search by using a lookup of exclusions. Our Splunk admins lock down alert creation so I can't hard code these exclusions in the search itself which generates alerts however I can make use of lookups which I'm able to edit as needed. The search fails to exclude my list of exclusions and I still see rows for data for the excluded values. The field name DELGROUP is the same name as returned in output from source. Is there something wrong with this search or is there a better to accomplish exclusions/overrides? index=perfmon (sourcetype=perfmon:oracle OR sourcetype=perfmon:mssql) source="*ggs_hb_vw_perf_mon" NOT ([| inputlookup dba_lookup_Exclusions.csv where (id=2) | fields exclude_name | rename exclude_name as DELGROUP]) DIFF>600 ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM