Splunk Dev
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

filter out events from lookuptable

benmon
Explorer
‎03-21-2016 04:28 AM

Hi,

I have the correlation rule-Substantial Increase In Events enabled but I just want to fine tune this rule based on our environment.

I dont want this rule to fire when there is a match in the signature that is defined in the lookuptable "substantialincreasesignature.csv".

But as soon as I run this it is throwing an error,can you check out this for me.

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature| search IDS_Attacks.signature!=* [inputlookup substantialincreasesignature.csv]

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature as signatures AND NOT[|inputlookup substantialincreasesignature|fields signature]

Both search I tried but no results:(

Regards,

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎03-21-2016 11:28 AM

Give this a try

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]

Update
It could be the field names returned by the data model doesn't match the field name in lookup. Replace the inputlookup query with this in above

| inputlookup substantialincreasesignature | table signature | rename signature with ExactFieldNameFromDataModelResult]

To get the ExactFieldNameFromDataModelResult, run your base search and check the name of signature field.

 | tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
Reply

benmon
Explorer
‎03-22-2016 03:32 AM

somesoni2,

your query is working fine,but it is showing data that is present in the lookuptable 'substantialincreasesignature'.I dont want to see the data that I have specified in the lookup table.

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]

0 Karma
Reply

somesoni2
Revered Legend
‎03-23-2016 07:20 AM

See the updated section of the answer

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2016 10:59 AM

You say it's throwing an error - what error?

0 Karma
Reply

benmon
Explorer
‎03-23-2016 12:14 AM

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields IDS_Attacks.signature]

is showing results that is in lookuptable.

How to get the events that is not in the lookuptable?

0 Karma
Reply
Get Updates on the Splunk Community!

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

Join us on Wed, Dec 10. at 10AM PST / 1PM EST for a live webinar and demo with Splunk experts! Discover how ...

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

If you’re unfamiliar, .conf is Splunk’s premier event where the Splunk community, customers, partners, and ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...