topic Re: NOT Inputlookup not working in Splunk Search

NOT Inputlookup not working

willadams — Tue, 29 Sep 2020 20:33:36 GMT

I am trying to perform a search and trying to add an inputlookup to filter information I don't need to know about. For example if I run the following query

This produces a result and the logs filter correctly (proved by removing NOT and only seeing the entries from the inputlookup; and adding the NOT and not seeing the entries from the inputlookup).

However if I then try to extend my query with the following it no longer filters and I am not sure where I have gone wrong. The query is as follows:

index=firewall "destination network"=external NOT(action=blocked) NOT [|inputlookup agent-inclusion-knownapps | where NOT cidrmatch("x.x.x.x/x",dest_ip) AND NOT cidrmatch("y.y.y.y/y",dest_ip)
| fields agent]
| stats count by agent username src dest dest_port rule action
| sort -count

Re: NOT Inputlookup not working

willadams — Fri, 20 Jul 2018 02:33:05 GMT

The inclusion file for reference purposes is configured as:

agent

"applicationx.exe"

The file permissions are correct and the lookup is a tabled definition referencing the csv file.

Re: NOT Inputlookup not working

Shan — Fri, 20 Jul 2018 05:44:37 GMT

@ willadams

So your saying, by adding the below code your query is not working.
If that is the scenario give a try like this.
I'm not sure it will work, but this is my suggestion..

"destination network"=external NOT(action=blocked)

"destination network" --> I believe this is a value.
external --> I Hope this is a field
try this

Index=***
"destination network"=external NOT action IN("blocked")

If "destination network" is a filed then try this

 Index=***
    | rename "destination network" as destination_network
    destination_network=external NOT action IN("blocked")

Re: NOT Inputlookup not working

HiroshiSatoh — Fri, 20 Jul 2018 08:33:13 GMT

I think the search sentence is not wrong.
Please check the search sentence in the search log of the INSPECT JOB to see if it is the intended search sentence.

Re: NOT Inputlookup not working

willadams — Tue, 29 Sep 2020 20:34:23 GMT

Even if I omit the "destination network" the results still end up the same. For example if I run this

However I did try and remove the NOT from just before " [|inputlookup" and found that I am only getting 1 result. It looks as though SPLUNK is not referencing my lookup properly.

Re: NOT Inputlookup not working

willadams — Mon, 23 Jul 2018 03:47:07 GMT

For example my lookup file shows as (ignore the *)

agent

"application1.exe"
"application2.exe"
"application3.exe"
"application11.exe"
"application22.exe"
"application33.exe"

If I look at the data currently being referenced I get "application1.exe" and cannot see application2.exe; application3.exe etc. it only references application1.exe