Splunk Enterprise Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Input lookup results: How to exclude results from Lookups?

Ash
Engager
‎09-23-2022 06:39 AM

Hi,

index=network sourcetype=cisco:asa NOT src_ip IN("10.0.0.0/8","10.0.0.1,"10.0.0.2") | bucket _time span=1m
| stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by src_ip _time
| where num_dest_port > 500 OR num_dest_ip > 500 | eval Total=num_dest_port+num_dest_ip | sort -Total | dedup src_ip |

With Lookups:

index=network sourcetype=cisco:asa NOT src_ip IN("10.0.0.0/8","10.0.0.0/8","10.0.0.1,"10.0.0.2") | search NOT [|inputlookup Blocked_IP.csv] | fields src_ip | bucket _time span=1m
| stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by src_ip _time
| where num_dest_port > 500 OR num_dest_ip > 500 | eval Total=num_dest_port+num_dest_ip | sort -Total | dedup src_ip

 

I am not able to exclude the results from the Lookups or if I modify the search I'm not getting any results at all. Kindly help.

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎09-23-2022 06:45 AM

So if I understand you correctly you want something like this:

index=network sourcetype=cisco:asa NOT src_ip IN("10.0.0.0/8","10.0.0.1,"10.0.0.2")
| lookup Blocked_IP src_ip OUTPUT src_ip as is_blocked
| where isnull(is_blocked)
| bucket _time span=1m
| stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by src_ip _time
| where num_dest_port > 500 OR num_dest_ip > 500
| eval Total=num_dest_port+num_dest_ip
| sort -Total
| dedup src_ip

 

You can lookup any csv within a search with "|lookup" and you don't need to reference the name of the csv if you have made a lookup definition for it. (e.g. if you have a csv named "my_lookup.csv" and a definition called "my_lookup" you can reference it in searches with "|lookup my_lookup")

Using "| fields src_ip" removes all fields except src_ip leading to you not seeing events.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

FelixLeh
Contributor
‎09-23-2022 06:45 AM

So if I understand you correctly you want something like this:

index=network sourcetype=cisco:asa NOT src_ip IN("10.0.0.0/8","10.0.0.1,"10.0.0.2")
| lookup Blocked_IP src_ip OUTPUT src_ip as is_blocked
| where isnull(is_blocked)
| bucket _time span=1m
| stats dc(dest_port) as num_dest_port dc(dest_ip) as num_dest_ip by src_ip _time
| where num_dest_port > 500 OR num_dest_ip > 500
| eval Total=num_dest_port+num_dest_ip
| sort -Total
| dedup src_ip

 

You can lookup any csv within a search with "|lookup" and you don't need to reference the name of the csv if you have made a lookup definition for it. (e.g. if you have a csv named "my_lookup.csv" and a definition called "my_lookup" you can reference it in searches with "|lookup my_lookup")

Using "| fields src_ip" removes all fields except src_ip leading to you not seeing events.

0 Karma
Reply
Solved! Jump to solution

Ash
Engager
‎09-23-2022 07:10 AM

Thanks you it helped. BTW what for where isnull(is_blocked) is used.

0 Karma
Reply
Solved! Jump to solution

FelixLeh
Contributor
‎09-23-2022 07:35 AM

| lookup Blocked_IP src_ip OUTPUT src_ip as is_blocked creates a field is_blocked for every event where a matching IP is found in the lookup. | where isnull(is_blocked) then removes all events where the field is_blocked has a value (all events that have a matching ip).

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...