https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440167#M125173 <P>You don't have to use the <CODE>join</CODE> command. Have you tried using the query I stated above? If you add the <CODE>count</CODE> command, you should get exactly the result you want.</P> <PRE><CODE> index=firewall log_subtype="vulnerability" severity="informational" | search [ inputlookup PRIVATE_IP.csv ] | stats count by src_ip </CODE></PRE> Fri, 01 Feb 2019 08:12:37 GMT DMohn 2019-02-01T08:12:37Z https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440163#M125169 <P>Hi,</P> <P>I need to check if the source address from the firewall logs is in private ip address range. How would i check using inputlookup and join commands. <BR /> Below is the query i am using , however no results come up</P> <P>index=firewall log_subtype=vulnerability severity=informational | join src [ inputlookup PRIVATE_IP.csv ] | stats count by src</P> Tue, 29 Sep 2020 23:02:43 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440163#M125169 ajayrejin 2020-09-29T23:02:43Z https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440164#M125170 <P>@ajayrejin,</P> <P>Try this and lets know if it works.</P> <PRE><CODE>index=firewall log_subtype=vulnerability severity=informational |eval flag=0 |append [inputlookup PRIVATE_IP.csv |eval flag=1] |stats count , max(flag) as flag by src </CODE></PRE> <P>If the count is &gt; 1 and flag=1 then its a private IP which is part of your lookup file.</P> Thu, 31 Jan 2019 13:40:18 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440164#M125170 renjith_nair 2019-01-31T13:40:18Z https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440165#M125171 <P>Hi,</P> <P>You don't have to use a join here, which is a very "costly" command. A simple subsearch does the trick as well:</P> <PRE><CODE> index=firewall log_subtype=vulnerability severity=informational | search [inputlookup PRIVATE_IP.csv] </CODE></PRE> <P>Given that the lookup table contains only one field named "src" - otherwise you will have to restrict the return from the subsearch and / or rename the field.</P> Thu, 31 Jan 2019 13:52:02 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440165#M125171 DMohn 2019-01-31T13:52:02Z https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440166#M125172 <P>Hi,</P> <P>Thank you for that query.<BR /> I am using the below query and results i see is only public IP addresses, however result should show only private IPs. Am i doin something wrong? Please do correct me</P> <P>index=frewall log_subtype="vulnerability" severity="informational" | join type=left src_ip [ inputlookup PRIVATE_IP.csv ] | stats count by src_ip</P> Tue, 29 Sep 2020 23:03:14 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440166#M125172 ajayrejin 2020-09-29T23:03:14Z https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440167#M125173 <P>You don't have to use the <CODE>join</CODE> command. Have you tried using the query I stated above? If you add the <CODE>count</CODE> command, you should get exactly the result you want.</P> <PRE><CODE> index=firewall log_subtype="vulnerability" severity="informational" | search [ inputlookup PRIVATE_IP.csv ] | stats count by src_ip </CODE></PRE> Fri, 01 Feb 2019 08:12:37 GMT https://community.splunk.com/t5/Splunk-Search/Search-query-required-to-lookup-a-csv-file/m-p/440167#M125173 DMohn 2019-02-01T08:12:37Z