×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
TurboTurtle
Engager
Member since: ‎03-02-2023
‎03-10-2023
Community Statistics
Posts 2
Solutions 0
Karma Given 1
Karma Received 0
Member Since ‎03-02-2023
Activity Feed
View All

Exclude results from lookup table in search v2?

by in Splunk Search
‎03-05-2023 06:47 PM
‎03-05-2023 06:47 PM
I'm trying to optimize my Splunk Windows Event Log dashboard, and wanted to add CSV exclusion file that would filter out some events that aren't necessary to monitor. CSV file contents: TaskName EventCode Microsoft Edge 4101 Firefox 4101   To filter events, I tried this search query: AND NOT [ | inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode ] However it doesn't give me what I want, it converts search string to: (NOT EventCode="4104" OR NOT "Microsoft Edge") (NOT EventCode="4104" OR NOT "Firefox")) But I want this: AND NOT ((EventCode="4104" AND "Microsoft Edge") OR (EventCode="4104" AND "Firefox"))   Is there an easy way of using "AND" OR "AND" for CSV inputlookup? ... View more
Labels

Re: Exclude results from lookup table in search

by in Splunk Search
‎03-02-2023 10:32 PM
‎03-02-2023 10:32 PM
I have been trying to add another column, but it's giving me different condition logic. Let's say I want to also filter it not just on a task name in CSV, but with EventCode included. TaskName EventCode Microsoft Edge 4101 Firefox 4101   I tried this: AND NOT [ | inputlookup wineventlog_exclusions_v2.csv | rename TaskName as query | fields query, EventCode ] However it doesn't give me what I want, it converts it to: (NOT EventCode="4104" OR NOT "Microsoft Edge") (NOT EventCode="4104" OR NOT "Firefox")) I want this: AND NOT ((EventCode="4104" AND "Microsoft Edge") OR (EventCode="4104" AND "Firefox")) ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎03-10-2023 01:16 AM
Karma given to
View All