Why am I getting "Error in 'inputlookup' command: ...

lbogle · ‎06-23-2016

Hello Splunkers,

Just checking to see if this is possible or If I'm running into a limitation I didn't know about...
I have a very simple "source of truth" .csv file used as a lookup file. It has a single field with about 70 unique values. I am trying to compare that against a single field with about 60 of the same unique values in an index. I need remove the 60 values in the index from the 70 values in the lookup table so that only the 10 values that are not in the index remain. I had tried by using a simple |inputlookup NOT index field value NOT index field value NOT index field value etc, but I am getting the error:

Error in 'inputlookup' command: Invalid argument: 'NOT'.

I'm guessing you can't NOT a lookup table. Is there some other equivalent command we can use for a lookup table?
Alternately, is there a way for me to accomplish this outside of a simple NOT statement?
Thanks!

sundareshr · ‎06-24-2016

Try this

| inputlookup lookupfile.csv | search NOT [search index=baseindex | stats count by matchingfield | fields - count ]

woodcock · ‎06-23-2016

Like this:

<Your Base Search With 70 Values Here> NOT [|inputlookup <YouLookupDefinitionNameHere> | fields <YourFieldNameHere>]

Why am I getting "Error in 'inputlookup' command: Invalid argument: 'NOT'."?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!