Splunk Dev

Only display results not found on lookup table.

agodoy
Communicator

I am running the following query:

| inputlookup field1_list.csv 
| search NOT [search index=main  
              | makemv tokenizer="(.+?)(?=,\S|$),?" field1  
              | mvexpand field1
              | search field1=*,* 
              | fields field1, field2,field3 ]
| table field1, field2, field2

I am trying to display the results that are not present in the table. However, I am getting the contents of the field1_list.csv as output even though the results found are 0.

Any idea on what query string I need to add so that the query only returns events and not lines of the lookup table?

Thanks!

Tags (1)
0 Karma
1 Solution

kristian_kolb
Ultra Champion

Hi,

While you provide too little information regarding your actual events, I can only give you the general advice based on the heading of your question. If you want to filter out events that do not match the contents of a lookup table, I think that you should turn the query around like so;

sourcetype=access_combined  NOT [| inputlookup http_status_errors.csv | fields + status]

In the example above the http_status_errors.csv file would contain a list of http status codes (404, 500 etc) along with their descriptions ("Not Found", "Internal Server Error" etc). The subsearch returns the status codes which are then applied with a "NOT".

Hope this helps,

K

View solution in original post

kristian_kolb
Ultra Champion

Hi,

While you provide too little information regarding your actual events, I can only give you the general advice based on the heading of your question. If you want to filter out events that do not match the contents of a lookup table, I think that you should turn the query around like so;

sourcetype=access_combined  NOT [| inputlookup http_status_errors.csv | fields + status]

In the example above the http_status_errors.csv file would contain a list of http status codes (404, 500 etc) along with their descriptions ("Not Found", "Internal Server Error" etc). The subsearch returns the status codes which are then applied with a "NOT".

Hope this helps,

K

lukejadamec
Super Champion

There are at least two problems.
1) The result count of 0 means that the subsearch yields nothing.
2) inputlookup is supposed to return the contents of the lookup, so the results you're getting are normal.

Recommend that you:
1) Test the subsearch as a standard search to make sure it is working.
2) Use lookup with specific inputs and outputs.

0 Karma

lguinn2
Legend

What events do you actually want to see? Events that don't have certain fields? What is in the csv file?

I am uncertain of what you are trying to accomplish.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...