All,
I have a question on how to perform a search with the strings that are not available in lookup file..
I have a lookup file as below
Test_Name|Test_Case
Abar|Aliq
Azad|Aliq
And so on
Now i would want to search something like below.
Index= NOT "Abar" NOT "Azad".
How to perform for all the values in lookup file.
Thanks
@prettysunshinez try the following search
index=<yourIndexName>
[| inputlookup <yourLookupFile>
| stats values(Test_Name) as Test_Name
| eval Test_Name=" NOT (\"".mvjoin(Test_Name,"\" OR \"")."\")"
| rename Test_Name as search]
Provided your lookup file has Test_Name
field values as Abar
and Azad
the above query will execute a search similar to the following:
index=<yourIndexName> NOT ("Abar" OR "Azad")
Following is a run anywhere example based on Splunk's _internal
index with component
field where instead of lookup, I am using same index to pull fewer components using recent time and then running the main query for a longer time period to return all the components
that were present for overall time but not in the recent time.
index=_internal sourcetype=splunkd log_level!=INFO earliest=-24h latest=now
[ search index=_internal sourcetype=splunkd log_level!=INFO earliest=-1h latest=now
| stats values(component) as component
| eval component=" NOT (\"".mvjoin(component,"\" OR \"")."\")"
| rename component as search]
| stats count by component