Hello splunk users,

So I have a system that I am logging all errors to splunk. I have been getting a few false positives in my alert I setup.
I have found the error in the message field and have updated my search to Include " NOT = 'ERROR1' NOT = 'ERROR2'.

I have created a KNOWN_ERROR.CSV that looks like this:
KNOWN_ERROR
ERROR1
ERROR2

Here is my current search that works:
index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error (SourceName=APP_NAME*) NOT 'ERROR1' NOT "ERROR2"
| eval src=SourceName
| table Message

*The message field is the Windows Application Event Message sent from the application that includes the phrase ERROR 1 or ERROR 2.

I have gotten some luck with this:
index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error (SourceName=APP_NAME*) NOT [|inputlookup Known_Error.csv]

When I inspect the job I find that the search is kinda working:

Normalized Search:
litsearch (index=* ((sourcetype="ms:iis:auto" s_computername="HOSTNAME*") OR (sourcetype="ms:iis:default" s_computername="HOSTNAME*") OR host="HOSTNAME*") source="WinEventLog:Application" Type=Error SourceName=APP_NAME* NOT Known_Error="ERROR1" NOT Known_Error="ERROR2") | litsearch (index=* host=HOSTNAME* source="WinEventLog:Application" Type=Error SourceName=APP_NAME* NOT Known_Error="ERROR1" NOT Known_Error="ERROR2") | eval src=SourceName

The issue looks like NOT includes Known_Error as the header of my CSV but I want that to be searching the Error in the Message Field.

Hope you guys can help.