Splunk Dev
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

filter out events from lookuptable

benmon
Explorer
‎03-21-2016 04:28 AM

Hi,

I have the correlation rule-Substantial Increase In Events enabled but I just want to fine tune this rule based on our environment.

I dont want this rule to fire when there is a match in the signature that is defined in the lookuptable "substantialincreasesignature.csv".

But as soon as I run this it is throwing an error,can you check out this for me.

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature| search IDS_Attacks.signature!=* [inputlookup substantialincreasesignature.csv]

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature as signatures AND NOT[|inputlookup substantialincreasesignature|fields signature]

Both search I tried but no results:(

Regards,

Tags (1)
0 Karma
Reply

somesoni2
Revered Legend
‎03-21-2016 11:28 AM

Give this a try

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]

Update
It could be the field names returned by the data model doesn't match the field name in lookup. Replace the inputlookup query with this in above

| inputlookup substantialincreasesignature | table signature | rename signature with ExactFieldNameFromDataModelResult]

To get the ExactFieldNameFromDataModelResult, run your base search and check the name of signature field.

 | tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
Reply

benmon
Explorer
‎03-22-2016 03:32 AM

somesoni2,

your query is working fine,but it is showing data that is present in the lookuptable 'substantialincreasesignature'.I dont want to see the data that I have specified in the lookup table.

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields signature]

0 Karma
Reply

somesoni2
Revered Legend
‎03-23-2016 07:20 AM

See the updated section of the answer

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎03-21-2016 10:59 AM

You say it's throwing an error - what error?

0 Karma
Reply

benmon
Explorer
‎03-23-2016 12:14 AM

| tstats allow_old_summaries=true count,values(IDS_Attacks.tag) as orig_tag from datamodel=Intrusion_Detection by IDS_Attacks.signature
| search NOT [|inputlookup substantialincreasesignature|fields IDS_Attacks.signature]

is showing results that is in lookuptable.

How to get the events that is not in the lookuptable?

0 Karma
Reply
Get Updates on the Splunk Community!

.conf25 Registration is OPEN!

Ready. Set. Splunk! Your favorite Splunk user event is back and better than ever. Get ready for more technical ...

Detecting Cross-Channel Fraud with Splunk

This article is the final installment in our three-part series exploring fraud detection techniques using ...

Splunk at Cisco Live 2025: Learning, Innovation, and a Little Bit of Mr. Brightside

Pack your bags (and maybe your dancing shoes)—Cisco Live is heading to San Diego, June 8–12, 2025, and Splunk ...