Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Use CSV file as an exemption to the main search

barney00
New Member
‎11-20-2018 08:13 AM

I have a main query which shows the destination IP of the computer and there are some destination IPs that I need to exempt, and there are many IP address that I need to exempt, How can I put the CSV as an exemption to the main search?

| datamodel IPP_Assets STOR search | search FTP.dest_ip!=10* **<- This should be a CSV that has a IP Addresses and need to exempt to the main search**
[| inputlookup owatch_ss_objects.csv | search inet_facing=* | rename src_ip as FTP.src_ip | fields + FTP.src_ip | format]
| fields + FTP.src_ip, FTP.dest_ip, FTP.password, FTP.arg, FTP.command, FTP.mime_type, FTP.Spike_Log
| bucket _time span=1d as Day
| timechart  span=1d count by FTP.Spike_Log
Tags (2)
0 Karma
Reply

somesoni2
Revered Legend
‎11-20-2018 11:00 AM

You query is using owatch_ss_objects.csv lookup/csv to allow IPs in field FTP.src_ip. You can use the same type of subsearch to filter/exclude teh FTP.dest_ip values from same/different lookup. You just have to add a NOT in front of the subsearch.

Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...