Solved: How can I remove entries from an existing lookup t...

ddrillic · ‎10-24-2018

I have a lookup table from which I need to remove a couple of lines. How can I do it?

niketn · ‎10-24-2018

@ddrillic are you looking for inputlookup --> Filter Unwanted Results --> outputlookup?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

niketn · ‎10-24-2018

@ddrillic are you looking for inputlookup --> Filter Unwanted Results --> outputlookup?

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

ddrillic · ‎10-24-2018

Right @niketnilay ; -) this one did it - | inputlookup <lookup name> | search host != host* | outputlookup <lookup name>

Based on How to remove a row from lookup table and update it?

@niketnilay - please convert to an answer.

manjunath_n · ‎04-18-2022

Have a similar requirement.

| inputlookup <lookup name> | search host != host* | outputlookup <lookup name>

We want to remove a guid record or line containing the guid from the lookup table so we should filter using = or != ?

| inputlookup abc | search guid= 123456 | outputlookup abc, when tried with this ended up in updating only this record for the entire lookup , so ideally the query should be | inputlookup abc | search guid!= 123456 | outputlookup abc right? please clarify on the filtering of the result @ddrillic @niketn Thanks!

How can I remove entries from an existing lookup table?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms