There are a couple ways to do what you’re asking for
The first is to use the lookup table as a filter in your initial search, like this:
index=ndx sourcetype=srctp NOT [|inputlookup mylookup | fields ip]
Or, do a lookup, and keep all the entries that have a null value in the lookup’s other field … like this:
index=ndx sourcetype=srctp
| lookup mylookup ip OUTPUT otherfield AS filterfield
| where isnull(filterfield)
from User warren – Stack Overflow https://stackoverflow.com/questions/27468553/splunk-search-doesnt-match-csv-lookup-file/73129857#73129857
via IFTTT