I have an inputlookup that provides me a list of mac addresses, I want to remove those mac addresses from another index that contains some of the same lists in the inputlookup.
Here is my index where I do not want the mac addresses of the inputlookup to show up in.
index=Base456 WiFiMAC="*" earliest=0
| eval LPR = strptime(LastPolicyRequest, "%m/%d/%Y %I:%M:%S %p")
| where LPR >= relative_time(now(),"-7d@h")
| table "WiFiMAC"
| dedup WiFiMAC
Here is my inputlookup I am looking to subtract from the index
| inputlookup BASE123.csv
| rename u_wifi_mac_address as Mac_Address
| search discovery_source="AWM"
| table Mac_Address
I had trouble using join due to it being an inputlookup.
You probably want something like ...
index=Base456 WiFiMAC="*" earliest=0
| eval LPR = strptime(LastPolicyRequest, "%m/%d/%Y %I:%M:%S %p")
| where LPR >= relative_time(now(),"-7d@h")
| table "WiFiMAC"
| dedup WiFiMAC
| rename COMMENT as "now we use the lookup as a lookup, and compare the results to what we want to drop"
| lookup BASE123.csv u_wifi_mac_address as WiFiMAC OUTPUT discovery_source
| where isnull(discovery_source) OR discovery_source!="AWM"