Solved: How to filter data in an input lookup table?

pbdiggins · ‎07-18-2023

Hey Splunk People,

I'm running a search against a CSV file:

|inputlookup "GSOCdata_230717.csv" | fields source_address, destination_address, protocol_id, destination_port, psrsvd_gc | stats sum(psrsvd_gc) as count by source_address, destination_address, protocol_id, destination_port

This builds a table w/ the specified data types contained in the CSV file. Can I filter my data to a smaller output table? I'd like to exclude certain IP addresses from the output of this command. I've tried using a CIDR notation of my address space, but it just chokes.. I've tried .. piping to "eval source_address=172.16.50.0/24" but it doesn't seem to like it..

Do you have a suggestion to do this? I worked around this by just building another CSV file with the data filtered to where I want to go, but it seems like this should be solvable in a more elegant way.

Thanks,

Paul Diggins

diogofgm · ‎07-18-2023

You can pipe | search source_address=172.16.50.0/24 to your search I order to filter the results

------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

pbdiggins · ‎07-20-2023

Thanks very much. This worked perfectly. I didn't know that you could pipeline another search like that...

diogofgm · ‎07-18-2023

You can pipe | search source_address=172.16.50.0/24 to your search I order to filter the results

------------
Hope I was able to help you. If so, some karma would be appreciated.

pbdiggins · ‎07-24-2023

Thanks very much. This worked perfectly. I didn't know that you could pipeline another search like that...

How to filter data in an input lookup table?

troubleshooting

Infographic provides the TL;DR for the 2024 Splunk Career Impact Report

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?