Solved: How to filter data in an input lookup table?

pbdiggins · ‎07-18-2023

Hey Splunk People,

I'm running a search against a CSV file:

|inputlookup "GSOCdata_230717.csv" | fields source_address, destination_address, protocol_id, destination_port, psrsvd_gc | stats sum(psrsvd_gc) as count by source_address, destination_address, protocol_id, destination_port

This builds a table w/ the specified data types contained in the CSV file. Can I filter my data to a smaller output table? I'd like to exclude certain IP addresses from the output of this command. I've tried using a CIDR notation of my address space, but it just chokes.. I've tried .. piping to "eval source_address=172.16.50.0/24" but it doesn't seem to like it..

Do you have a suggestion to do this? I worked around this by just building another CSV file with the data filtered to where I want to go, but it seems like this should be solvable in a more elegant way.

Thanks,

Paul Diggins

diogofgm · ‎07-18-2023

You can pipe | search source_address=172.16.50.0/24 to your search I order to filter the results

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

pbdiggins · ‎07-20-2023

Thanks very much. This worked perfectly. I didn't know that you could pipeline another search like that...

diogofgm · ‎07-18-2023

You can pipe | search source_address=172.16.50.0/24 to your search I order to filter the results

------------
Hope I was able to help you. If so, some karma would be appreciated.

pbdiggins · ‎07-24-2023

Thanks very much. This worked perfectly. I didn't know that you could pipeline another search like that...

How to filter data in an input lookup table?

troubleshooting

Join Us for Splunk University and Get Your Bootcamp Game On!

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

Announcing Scheduled Export GA for Dashboard Studio