Ignore records in a lookup

nolesrb · ‎07-31-2013

I have a lookup table (attached sample) and in my search I want to return records "ACCT" is not in "ACCTNBR4" in the lookup.

My current search looks something like this:
sourcetype="abc" "SAMPLE acctGuid=, 13DigitAcctNbr=, 4DigitAcctNbr=* " | rex field=_raw ", 4DigitAcctNbr=(?[0-9]{4})" | lookup TestAccounts ACCTNBR4 AS ACCT output ACCTNBR4 | stats count by ACCTNBR4

I want to exclude what is being returned.

GUID,ACCTNBR4,INSERT_DATE,NOTES,USERNAME,FNAME,LNAME

123,1234,8/24/2012 9:01:56 AM,,abc,Mad,Dog

456,1111,3/19/2013 11:29:59 AM,,def@test.net,,

the_wolverine · ‎07-31-2013

You can assign a value of NULL to the column in question and then specify it in your search:

sourcetype="abc" "SAMPLE acctGuid=, 13DigitAcctNbr=, 4DigitAcctNbr=* " | rex field=_raw ", 4DigitAcctNbr=(?[0-9]{4})" | lookup TestAccounts ACCTNBR4 AS ACCT output ACCTNBR4 | fillnull ACCTNBR4 value=NULL | search ACCTNBR4=NULL | stats count by GUID,ACCTNBR4

nolesrb · ‎08-01-2013

I am trying that, but it is still giving me the same counts.

nolesrb · ‎07-31-2013

I only want to show records if ACCT does not have a value in the ACCTNBR4 column of thelookup table.

So if 2 events looked like this:
SAMPLE acctGuid=123-abc, 13DigitAcctNbr=1234567890123, 4DigitAcctNbr=1234
SAMPLE acctGuid=def-567, 13DigitAcctNbr=0001117890123, 4DigitAcctNbr=7945

I would only want to return 7945, 1 from this record:
SAMPLE acctGuid=def-567, 13DigitAcctNbr=0001117890123, 4DigitAcctNbr=7945

I would not return the other event because 4DigitAcctNbr (field acct) 123 is in my lookup file:
SAMPLE acctGuid=def-567, 13DigitAcctNbr=0001117890123, 4DigitAcctNbr=7945

Thanks!
Ryan

sowings · ‎07-31-2013

What do you mean by "exclude what is being returned"? You want to filter to a subset of account numbers?

Ignore records in a lookup

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life