How to return all search results where an IP address matches one in a lookup blacklist?


I have a search that returns a list with user,dc(Country),values(Country),values(src)

I would like to only show results where a 'src' matches the ip field in lookup called 'blacklist'. The field will likely need to be renamed.

I'm having a hard time getting a search that will return only results where the IP matches the blacklist.

index=*_vpn  | iplocation src | stats dc(Country),values(Country),values(src) by user

Searching the blacklist would look like (I think): [| inputlookuip blacklist | fields src | rename ip AS src]

If anyone know how to make this work that would be greatly appreciated.


Tags (1)
0 Karma


Try the following:

index=*_vpn  [| inputlookup blacklist.csv | rename ip AS src | table src] 
| iplocation src 
| stats dc(Country) as CountryCount values(Country) as Country values(src) as srcIPs by user
| makeresults | eval message= "Happy Splunking!!!"
0 Karma