Solved: Use inputlookup to get list of hosts that DID NOT ...

the_wolverine · ‎02-06-2013

I have a list of hosts in a lookup file called myhost.csv. I pipe my search results through this list to get a list of hosts that match those in my lookup file, however, I actually want Splunk to output a list of hosts from my lookupfile that DID NOT return results.

Does this make sense?

jeff · ‎02-06-2013

Something like this?

| inputlookup myhosts.csv | search NOT [search { whatever criteria } | fields host]

should do what you're looking for.

View solution in original post

jeff · ‎02-06-2013

Something like this?

| inputlookup myhosts.csv | search NOT [search { whatever criteria } | fields host]

should do what you're looking for.

the_wolverine · ‎02-08-2013

This was really close.

I had to use format to get it to work:

| inputlookup myhosts.csv | search NOT [search stuff | fields host | format ]

Ron_Naken · ‎02-06-2013

Is there an issue with adding a flag to the lookup file, using it as a lookup, then searching for events without the flag?

Use inputlookup to get list of hosts that DID NOT match?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life