Hi,
While you provide too little information regarding your actual events, I can only give you the general advice based on the heading of your question. If you want to filter out events that do not match the contents of a lookup table, I think that you should turn the query around like so;
sourcetype=access_combined NOT [| inputlookup http_status_errors.csv | fields + status]
In the example above the http_status_errors.csv file would contain a list of http status codes (404, 500 etc) along with their descriptions ("Not Found", "Internal Server Error" etc). The subsearch returns the status codes which are then applied with a "NOT".
Hope this helps,
K
... View more