https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547693#M155315 <P>Try this one out:</P><LI-CODE lang="markup">index=firewall src_ip!="192.168.0.0/16" | fields src_ip [| inputlookup RYUK.csv | stats values(src_ip) AS search | format ] | stats count by src_ip</LI-CODE><P>Similar to the linked reply below. Does that get you what you need? Hope this helped!</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/Search-for-all-events-for-IP-address-within-a-CSV-file/td-p/288181" target="_blank">Solved: Search for all events for IP address within a CSV ... - Splunk Community</A></P> Tue, 13 Apr 2021 00:09:17 GMT 96nick 2021-04-13T00:09:17Z https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547692#M155314 <P>I have a list of source ip addresses in a csv file loaded into Splunk as a lookup file.&nbsp; The file has a single field, src_ip, and about 4000 rows of unique ip address.</P><P>I want to take the contents of the lookup file and compare each entry to a search of filewall logs and report the number of times each entry in the lookup file is present in the firewall data.</P><P>I have this so far but the src_ip listed in the result is not always present in the lookup file.</P><P>&nbsp;</P><LI-CODE lang="markup">index="firewall" src_ip!="192.168.0.0/16" | fields src_ip | append [ | inputlookup RYUK.csv | fields src_ip] | stats count by src_ip</LI-CODE><P>&nbsp;</P><P>Any suggestions greatly appreciated.</P><P>Thanks<BR />Leigh</P> Mon, 12 Apr 2021 23:58:40 GMT https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547692#M155314 balcv 2021-04-12T23:58:40Z https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547693#M155315 <P>Try this one out:</P><LI-CODE lang="markup">index=firewall src_ip!="192.168.0.0/16" | fields src_ip [| inputlookup RYUK.csv | stats values(src_ip) AS search | format ] | stats count by src_ip</LI-CODE><P>Similar to the linked reply below. Does that get you what you need? Hope this helped!</P><P><A href="https://community.splunk.com/t5/Getting-Data-In/Search-for-all-events-for-IP-address-within-a-CSV-file/td-p/288181" target="_blank">Solved: Search for all events for IP address within a CSV ... - Splunk Community</A></P> Tue, 13 Apr 2021 00:09:17 GMT https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547693#M155315 96nick 2021-04-13T00:09:17Z https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547694#M155316 <P>That query takes all of the src_ip values found in the firewall index and adds to it all of the src_ip values from the RYUK lookup file.&nbsp; The result is the union, rather than the intersection, of the two sets.</P><P>To get the intersection, use this query to tell Splunk to only pull events that contain a listed src_ip value.</P><P>&nbsp;</P><LI-CODE lang="markup">index="firewall" src_ip!="192.168.0.0/16" [ | inputlookup RYUK.csv | return 1000 src_ip] | stats count by src_ip</LI-CODE><P>&nbsp;</P><P>The subsearch reads the lookup file and reformats it into a query string of the form "(src_ip=1.2.3.4 OR src_ip=1.2.3.5 OR src_ip=1.3.4.5 ...)"</P> Thu, 15 Apr 2021 13:05:21 GMT https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547694#M155316 richgalloway 2021-04-15T13:05:21Z https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547698#M155319 <P>Thanks <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a>&nbsp; That appears to have done the trick but I'll need to wait until I have data that matches, but I think it should be fine.</P><P>Thanks<BR />Leigh</P> Tue, 13 Apr 2021 01:29:29 GMT https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547698#M155319 balcv 2021-04-13T01:29:29Z https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547961#M155381 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/213957">@richgalloway</a> .&nbsp; Having had this running for a couple of days, it would appear that this search only takes the first address in the lookup file.&nbsp; I tested this by manually adding addresses I knew were valid and each time it only ever returned a count for the first address in the file and a count of that address.</P><P>It did not move through the entire lookup file.</P><P>Cheers<BR />Leigh</P> Wed, 14 Apr 2021 23:49:41 GMT https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547961#M155381 balcv 2021-04-14T23:49:41Z https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547962#M155382 <P>Hi <a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/32903">@96nick</a> . Thanks for your repsonse.</P><P>This it not giving me exactly what I wanted.&nbsp; It appears that it lists all the addresses found in the firewall log with a count rather than using the addresses in the lookup file.</P><P>I tested this by running the search then manually looking then up in the file lookup file and most did not exist in the file.&nbsp;</P><P>I need to take each address in the lookup file, compare to the firewall data and give a count for the number of matches against that file.</P><P>Cheers<BR />Leigh</P> Wed, 14 Apr 2021 23:51:57 GMT https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/547962#M155382 balcv 2021-04-14T23:51:57Z https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/548014#M155402 <P>You're right.&nbsp; I left out an argument to the <FONT face="courier new,courier">return</FONT> command.&nbsp; See the revised answer.</P> Thu, 15 Apr 2021 13:05:59 GMT https://community.splunk.com/t5/Splunk-Search/Search-incorporating-inputlookup/m-p/548014#M155402 richgalloway 2021-04-15T13:05:59Z