Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Help with using lookups for combinations of values

neilsmith2
Explorer
‎08-31-2023 06:22 AM

I have a simple lookup file with two fields, user and host

user                                host

Bob                                   1

Dave                                  2

Karen                                 x

Sue                                     y


I want exclude any results from my search where there is any combination of host AND user where they match any value from the lookup.

For example, exclude any results where:

the user is Bob and the host is either 1, 2, x or y
the user is either Bob, Dave, Karen or Sue and the host is x 

I'm playing with this search, which appears to work but unsure if there's a flaw in my logic, or if there's a better way to do it?

 

 

index=proxy sourcetype="proxy logs"
user="*"

NOT ([| inputlookup lookup.csv  | fields user | format ] AND [| inputlookup lookup.csv  | fields host | format ])

| stats c by username, host

 

 

Thanks in advance

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎08-31-2023 07:38 AM

Try something like this

index=proxy sourcetype="proxy logs"
user="*"

NOT [| inputlookup lookup.csv  | eventstats values(host) as host | mvexpand host | format ]

| stats c by username, host
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...