Hello,
After some time spent Googling/Splunking yesterday, I could not find a unique solution to my problem.
Goal: I have a list of services (splunkd.exe, splunkweb.exe, svchost.exe, etc) that I want to exclude from a search without having a query string that is 25 lines. I want to read the exclusion list from a CSV.
Query pseudocode: Search index to see if any services have been installed on any systems. EXCLUDE services from .
Good things: If I just have | inputlookup this_lookup | fields services, then I can see all of my values of that field in a table in splunk.
Bad things: If I say NOT | inputlookup this_lookup | fields services | It doesn't recognize the match between the values in the CSV and the service_file_names in the logs, returns ALL results.
Bottom line (& at the end of the day? ;)): I noticed that in the events, the Service_File_Name is a full path, i.e. C:\Win\temp\this.sys, sometimes with quotes, sometimes with %sys%. Is it possible that the formatting I have stored these service file names in is not appropriate? It works as a query to say NOT (this.sys OR mcafee.exe), so I used the same formatting for those service names in my CSV.
Looking for direction, thank you.
P.S. I've looked at almost all of the inputlookup questions (and read the documentation) and haven't found my solution.
... View more