Search lookup for non-matching values

ldunzweiler — Tue, 11 Jul 2017 15:07:11 GMT

I have the following search (MySearch), which is tied to an alert.

index=exchange_smtp Context=authenticated OR EHLO | iplocation ipaddress | search Country != "United States" | transaction Session keepevicted=true | Search Context=authenticated | eval merged=user.Country | lookup user_location username as merged | search NOT target=* | table Data,Session,ipaddress,user,Country

I have a lookup file called smtpforeignip.csv with a search that populates and updates this file with ipaddress,user,Country.

I want to modify MySearch to do a comparison against smtpforeignip.csv. If there is a matching ipaddress I do not want the alert to trigger. I ONLY want the alert to trigger when there is a non-matching ipaddress.

Re: Search lookup for non-matching values

somesoni2 — Tue, 11 Jul 2017 15:51:08 GMT

Try like this. The NOT subsearch will exclude all those foreign ip address from the main result itself.

index=exchange_smtp Context=authenticated OR EHLO NOT [| inputlookup smtpforeignip.csv | table ipaddress ]| iplocation ipaddress | search Country != "United States" | transaction Session keepevicted=true | Search Context=authenticated | eval merged=user.Country | lookup user_location username as merged | search NOT target=* | table Data,Session,ipaddress,user,Country

topic Re: Search lookup for non-matching values in Splunk Search

Search lookup for non-matching values

Re: Search lookup for non-matching values