Archive

How to return all search results where an IP address matches one in a lookup blacklist?

Engager

I have a search that returns a list with user,dc(Country),values(Country),values(src)

I would like to only show results where a 'src' matches the ip field in lookup called 'blacklist'. The field will likely need to be renamed.

I'm having a hard time getting a search that will return only results where the IP matches the blacklist.

Search:
index=*_vpn  | iplocation src | stats dc(Country),values(Country),values(src) by user

Searching the blacklist would look like (I think):

1.1.1.1 [| inputlookuip blacklist | fields src | rename ip AS src]

If anyone know how to make this work that would be greatly appreciated.

Thanks

Tags (1)
0 Karma

SplunkTrust
SplunkTrust

Try the following:

index=*_vpn  [| inputlookup blacklist.csv | rename ip AS src | table src] 
| iplocation src 
| stats dc(Country) as CountryCount values(Country) as Country values(src) as srcIPs by user
____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma