topic Re: What eval function returns IP addresses that are not in my input lookup file? in Dashboards & Visualizations

What eval function returns IP addresses that are not in my input lookup file?

MKAMARA — Wed, 20 Feb 2019 03:28:58 GMT

I created a dashboard with a lookup file containing IP addresses and domains. I would like to search the dashboard and expect an output of only IP addresses or Domains that are not in my lookup files.

Re: What eval function returns IP addresses that are not in my input lookup file?

richgalloway — Wed, 20 Feb 2019 14:04:37 GMT

This is no eval function to tell you if some value is not part of a lookup file. In fact, there are no eval functions at all for lookups.

One way to determine that something is not in a lookup is to do the lookup and see if the output is null.

... | lookup mylookup.csv ipaddress OUTPUT domain | eval domainPresent=if(isnull(domain), "false", "true") | ...

Re: What eval function returns IP addresses that are not in my input lookup file?

ddrillic — Wed, 20 Feb 2019 22:41:49 GMT

Something like -

index=<index name> NOT [ | inputlookup IPs.csv ]

Where the common field such as IP is in the index as well as in the lookup.

Re: What eval function returns IP addresses that are not in my input lookup file?

MKAMARA — Tue, 29 Sep 2020 23:24:00 GMT

Rich, Thank you for the response and apologies for the wrong choice of words. I am fetching data from a SharePoint site, within those data, there are sets of IP addresses that I am searching against. All I want to know is what is currently not stored in the sharepoint site. I dont know if this is clear enough. This is my current search that returns data that matches index="my_sharepoint" sourcetype="deadzone_block"
    [| localop
    | stats count
    | eval entry="block_string"
| eval entry=trim(entry)
    | rex field=entry "(?.*?)(\r|\s|$)" max_match=0
    | mvexpand search
    | table search
    | format ]
| table my_table.

Now how can I change this to return only IPs and domains not match in those set of data?

Re: What eval function returns IP addresses that are not in my input lookup file?

richgalloway — Thu, 21 Feb 2019 13:29:53 GMT

What is the point of the localop subsearch? In a distributed environment, it won't find any data since it won't run on indexers. The leading stats command produces a zero that is not used. The eval is a literal string that is then decomposed - why not hardcode the decomposed values?
How are you fetching the data from SharePoint? Can you search for the IP address fetched from SharePoint and discard it if it's already in Splunk?