Splunk Dev

filter out events from lookuptable

benmon
Explorer

Hi,

I have the correlation rule-Substantial Increase In Events enabled but I just want to fine tune this rule based on our environment.

I dont want this rule to fire when there is a match in the signature that is defined in the lookuptable "substantialincreasesignature.csv".

But as soon as I run this it is throwing an error,can you check out this for me.

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature| search IDS_Attacks.signature!=* [inputlookup substantialincreasesignature.csv]

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature as signatures AND NOT[|inputlookup substantialincreasesignature|fields signature]

Both search I tried but no results:(

Regards,

Tags (1)
0 Karma

somesoni2
SplunkTrust
SplunkTrust

Give this a try

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]

Update
It could be the field names returned by the data model doesn't match the field name in lookup. Replace the inputlookup query with this in above

| inputlookup substantialincreasesignature | table signature | rename signature with ExactFieldNameFromDataModelResult]

To get the ExactFieldNameFromDataModelResult, run your base search and check the name of signature field.

 | tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature

benmon
Explorer

somesoni2,

your query is working fine,but it is showing data that is present in the lookuptable 'substantialincreasesignature'.I dont want to see the data that I have specified in the lookup table.

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]

0 Karma

somesoni2
SplunkTrust
SplunkTrust

See the updated section of the answer

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

You say it's throwing an error - what error?

0 Karma

benmon
Explorer

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields IDS_Attacks.signature]

is showing results that is in lookuptable.

How to get the events that is not in the lookuptable?

0 Karma
Get Updates on the Splunk Community!

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Elevating Digital Service Excellence: The Synergy of Real User Monitoring and Application Performance ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...