Okay, I've got it working now. Thanks.
For now this is just a single lookup file used by "|inputlookup file.csv" stored in /opt/splunk/etc/system/lookups.
I'm using the file to exclude results from a search...so "if in lookup file, then don't return in search results, just give me everything else."
Soon I will transition it into a lookup table, indexed log file, or maybe even into a database and use db connect, but for now I'm still learning splunk and doing only newbie-style lookups.
Use some thing like this for "exclude results from a search...so "if in lookup file, then don't return in search results, just give me everything else."
your base search NOT [|inputlookup file.csv |table coloumnName]
This should do it.
How is this CSV stored in Splunk?? Lookup table files OR it's indexed in some index??
Look at the answer here for a solution:
https://answers.splunk.com/answers/32704/lookup-tables-and-comments.html
Short:
Add a comment field and do not use that field in any reference.
CSVs the way you mean them are treated in a different way than regular log files.
There are 2 basic kinds:
"just CSVs", which are only accessed via "| inputcsv" and "| outputcsv"
lookup CSVs, which are accessed with commands "| lookup", "| inputlookup" and "| outputlookup"
Use the oputputcsv or outputlookup commands to add comment to your CSV in Splunk web