Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Exclude results from lookup table in search

Dalador
Path Finder
‎04-09-2021 03:00 AM
I have a lookup table with Scheduled Tasks called scheduled_tasks, and Columns Command, Arguments. 

I need to do a search where I only display results where the Arguments, Command fields in events DOES NOT contain a value in the scheduled_tasks lookup table. Where it is going wrong? Thank you!
My query is: 

(index IN (index1, index2)) EventCode=4698 NOT [|inputlookup scheduled_tasks |fields Arguments, Command] | fillnull Arguments value="-" | rex field=_raw "(?P<Command>((?<=\bCommand>).*(?=<)))" | rex field=_raw "(?P<Arguments>((?<=\bArguments>).*(?=<)))" |table Command,Arguments |dedup Command,Arguments

 

My lookup table: 

example3.png

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

Dalador
Path Finder
‎04-09-2021 05:59 AM

I rewrote my query: 
  EventCode=4698 | fillnull Arguments value="-" | rex field=_raw "(?P<Command>((?<=\bCommand>).*(?=<)))" | rex field=_raw "(?P<Arguments>((?<=\bArguments>).*(?=<)))" |search NOT [|inputlookup scheduled_task |fields Arguments, Command]|table Task_Name, ComputerName,Command,_time,Arguments, Account_Name

This works for me 🙂 

View solution in original post

Reply
Solved! Jump to solution

aasabatini
Builder
‎04-09-2021 05:12 AM

HI @Dalador 

try like this:

 

(index IN (index1, index2)) EventCode=4698 [inputlookup scheduled_tasks |fields Arguments, Command | format "(" "(" "AND" ")" "NOT" ")"] | fillnull Arguments value="-" | rex field=_raw "(?P<Command>((?<=\bCommand>).*(?=<)))" | rex field=_raw "(?P<Arguments>((?<=\bArguments>).*(?=<)))" |table Command,Arguments |dedup Command,Arguments

 

Karma given or solution confirmation appreciated

Alessandro

Reply
Solved! Jump to solution

Dalador
Path Finder
‎04-09-2021 05:23 AM

Same result 😞 

0 Karma
Reply
Solved! Jump to solution

aasabatini
Builder
‎04-09-2021 05:36 AM

hey @Dalador 

can you show me the results of this search?

 

|inputlookup scheduled_tasks |fields Arguments, Command | format "(" "(" "AND" ")" "NOT" ")"

 

if the results is 0 please check if the permission of the lookup is set on  global.

0 Karma
Reply
Solved! Jump to solution
Solution

Dalador
Path Finder
‎04-09-2021 05:59 AM

I rewrote my query: 
  EventCode=4698 | fillnull Arguments value="-" | rex field=_raw "(?P<Command>((?<=\bCommand>).*(?=<)))" | rex field=_raw "(?P<Arguments>((?<=\bArguments>).*(?=<)))" |search NOT [|inputlookup scheduled_task |fields Arguments, Command]|table Task_Name, ComputerName,Command,_time,Arguments, Account_Name

This works for me 🙂 

View solution in original post

Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!