Solved: Use inputlookup to get list of hosts that DID NOT ...

the_wolverine · ‎02-06-2013

I have a list of hosts in a lookup file called myhost.csv. I pipe my search results through this list to get a list of hosts that match those in my lookup file, however, I actually want Splunk to output a list of hosts from my lookupfile that DID NOT return results.

Does this make sense?

jeff · ‎02-06-2013

Something like this?

| inputlookup myhosts.csv | search NOT [search { whatever criteria } | fields host]

should do what you're looking for.

View solution in original post

jeff · ‎02-06-2013

Something like this?

| inputlookup myhosts.csv | search NOT [search { whatever criteria } | fields host]

should do what you're looking for.

the_wolverine · ‎02-08-2013

This was really close.

I had to use format to get it to work:

| inputlookup myhosts.csv | search NOT [search stuff | fields host | format ]

Ron_Naken · ‎02-06-2013

Is there an issue with adding a flag to the lookup file, using it as a lookup, then searching for events without the flag?

Use inputlookup to get list of hosts that DID NOT match?

.conf24 | Registration Open!

ICYMI - Check out the latest releases of Splunk Edge Processor

Introducing the 2024 SplunkTrust!