Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter data in an input lookup table?

pbdiggins
Explorer
‎07-18-2023 12:16 PM

Hey Splunk People,

 

I'm running a search against a CSV file:

|inputlookup "GSOCdata_230717.csv" | fields source_address, destination_address, protocol_id, destination_port, psrsvd_gc | stats sum(psrsvd_gc) as count by source_address, destination_address, protocol_id, destination_port

 

This builds a table w/ the specified data types contained in the CSV file. Can I filter my data to a smaller output table? I'd like to exclude certain IP addresses from the output of this command. I've tried using a CIDR notation of my address space, but it just chokes.. I've tried .. piping to "eval source_address=172.16.50.0/24" but it doesn't seem to like it..

 

Do you have a suggestion to do this? I worked around this by just building another CSV file with the data filtered to where I want to go, but it seems like this should be solvable in a more elegant way.

 

Thanks,

 

Paul Diggins

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎07-18-2023 02:26 PM

You can pipe | search source_address=172.16.50.0/24 to your search I order to filter the results

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

pbdiggins
Explorer
‎07-20-2023 05:52 AM

Thanks very much. This worked perfectly. I didn't know that you could pipeline another search like that... 

0 Karma
Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎07-18-2023 02:26 PM

You can pipe | search source_address=172.16.50.0/24 to your search I order to filter the results

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

pbdiggins
Explorer
‎07-24-2023 05:20 AM

Thanks very much. This worked perfectly. I didn't know that you could pipeline another search like that... 

0 Karma
Reply
Get Updates on the Splunk Community!

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

New Release | Splunk Cloud Platform 10.1.2507

Hello Splunk Community!We are thrilled to announce the General Availability of Splunk Cloud Platform 10.1.2507 ...

🌟 From Audit Chaos to Clarity: Welcoming Audit Trail v2

🗣 You Spoke, We Listened  Audit Trail v2 wasn’t written in isolation—it was shaped by your voices.  In ...