topic Re: Check if IP address from search not in list of IP address in Splunk Search

Check if IP address from search not in list of IP address

ashishmgupta — Wed, 30 Sep 2020 02:00:49 GMT

I am still learning Splunk and trying to understand best way to find if IP addresses in my search results are NOT in a list of IP addresses I have like below :
10.34*
10.35*
172.20*
172.21*
172.168*

I put * in the CSV list to cover all IP addresses. for example ..10.34.1.3 is covered by 10.34. 172.212.1.1 is covered by 172.21* etc.
I upload the CSV in the "Lookup table files" as "all_ip.csv"

This is what I started with. How can I make sure "src_ip" is NOT in the list "ip.csv"?
index=myindex src_ip | inputlookup all_ip.csv

Thanks for all the help.

Re: Check if IP address from search not in list of IP address

masonmorales — Thu, 29 Aug 2019 19:28:24 GMT

index=myindex src_ip NOT [inputlookup all_ip.csv]
Assuming the field is named src_ip in the CSV as well. If it's not, you can rename the field by using a | rename after the inputlookup

Re: Check if IP address from search not in list of IP address

wmyersas — Thu, 29 Aug 2019 21:02:36 GMT

And make sure the lookup definiton will do CIDR matches