Splunk Enterprise Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter data in an input lookup table?

pbdiggins
Explorer
‎07-18-2023 12:16 PM

Hey Splunk People,

 

I'm running a search against a CSV file:

|inputlookup "GSOCdata_230717.csv" | fields source_address, destination_address, protocol_id, destination_port, psrsvd_gc | stats sum(psrsvd_gc) as count by source_address, destination_address, protocol_id, destination_port

 

This builds a table w/ the specified data types contained in the CSV file. Can I filter my data to a smaller output table? I'd like to exclude certain IP addresses from the output of this command. I've tried using a CIDR notation of my address space, but it just chokes.. I've tried .. piping to "eval source_address=172.16.50.0/24" but it doesn't seem to like it..

 

Do you have a suggestion to do this? I worked around this by just building another CSV file with the data filtered to where I want to go, but it seems like this should be solvable in a more elegant way.

 

Thanks,

 

Paul Diggins

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎07-18-2023 02:26 PM

You can pipe | search source_address=172.16.50.0/24 to your search I order to filter the results

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution

pbdiggins
Explorer
‎07-20-2023 05:52 AM

Thanks very much. This worked perfectly. I didn't know that you could pipeline another search like that... 

0 Karma
Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎07-18-2023 02:26 PM

You can pipe | search source_address=172.16.50.0/24 to your search I order to filter the results

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

pbdiggins
Explorer
‎07-24-2023 05:20 AM

Thanks very much. This worked perfectly. I didn't know that you could pipeline another search like that... 

0 Karma
Reply
Get Updates on the Splunk Community!

Update Your SOAR Apps for Python 3.13: What Community Developers Need to Know

To Community SOAR App Developers - we're reaching out with an important update regarding Python 3.9's ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Automatic Discovery Part 2: Setup and Best Practices

In Part 1 of this series, we covered what Automatic Discovery is and why it’s critical for observability at ...