Getting Data In

How do I make a Splunk query which would exclude hosts which are in a CSV lookup table?

kannu
Communicator

Hello splunkers ,

I need help with one query. I have all hosts coming in a query when i run index=* and i have some other hosts in a CSV file which i have loaded static using lookups.

I want to run index=* again but I don't want the hosts which are there in CSV to show up in my query.

In short, during search time, i want to exclude all hosts which are there in CSV static file lookup .

I am guessing that join command would work but don't know how can i use .

Please help

0 Karma
1 Solution

renjith_nair
SplunkTrust
SplunkTrust

@kannu ,
Try

index="your index"  NOT [|inputlookup yourcsvfile]
Happy Splunking!

View solution in original post

0 Karma

renjith_nair
SplunkTrust
SplunkTrust

@kannu ,
Try

index="your index"  NOT [|inputlookup yourcsvfile]
Happy Splunking!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...