I'm trying to exclude known issues from a search by using a lookup of exclusions. Our Splunk admins lock down alert creation so I can't hard code these exclusions in the search itself which generates alerts however I can make use of lookups which I'm able to edit as needed. The search fails to exclude my list of exclusions and I still see rows for data for the excluded values. The field name DELGROUP is the same name as returned in output from source.
Is there something wrong with this search or is there a better to accomplish exclusions/overrides?
index=perfmon (sourcetype=perfmon:oracle OR sourcetype=perfmon:mssql) source="*ggs_hb_vw_perf_mon" NOT ([| inputlookup dba_lookup_Exclusions.csv where (id=2) | fields exclude_name | rename exclude_name as DELGROUP]) DIFF>600
This my error, lookup name had a case error and was listed as
| inputlookup dba_lookup_exclusions.csv
and not
| inputlookup dba_lookup_Exclusions.csv
This my error, lookup name had a case error and was listed as
| inputlookup dba_lookup_exclusions.csv
and not
| inputlookup dba_lookup_Exclusions.csv
@cmille19 If your problem is resolved, please accept an answer to help future readers.
Try this:
index=perfmon AND (sourcetype=perfmon:oracle OR sourcetype=perfmon:mssql) AND source="*ggs_hb_vw_perf_mon" AND DIFF>600
NOT [|inputlookup dba_lookup_Exclusions.csv | where id==2 | fields exclude_name | rename exclude_name AS DELGROUP]