- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Best Way to search using a lookup table?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm running a search across a bunch of data, say syslogs, that has a lot of different source_IPs.
I make a lookup table of name [ip_list]
src_ip
10.10.10.1
10.10.10.2
10.10.10.3
What is the best way to search across all of my data and ONLY show items from lookup tables that are NOT match with field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<search terms> NOT [ | inputlookup <your lookup> ]
eg.
* NOT [ | inputlookup ip_list ]
To inspect which search string is generated by the subsearch, you can execute
| inputlookup ip_list | format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
<search terms> NOT [ | inputlookup <your lookup> ]
eg.
* NOT [ | inputlookup ip_list ]
To inspect which search string is generated by the subsearch, you can execute
| inputlookup ip_list | format
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks man, run with the flow.
just for knowledge,your previous command worked well by showing all events without "|stats count by source_IPs" but when we append stats it process 14% of my file and display no results. Is stats command take too much processing??
source="/export/home/azubair/Audit_Report" NOT [ | inputlookup ip_list | fields ip | rename ip as source_IPs ] | stats count by source_IPs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah, I get it 😉 Here you go:
| inputlookup ip_list | fields ip | rename ip as source_IPs | search NOT [ search source="/export/home/azubair/Audit_Report" | dedup source_IPs | fields source_IPs ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks man. It shows ips of the field source_IPs that are not matched with my lookup table.
I want the other way round, means want IPs from my lookup table that are not matched with field source_IPs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source="/export/home/azubair/Audit_Report" NOT [ | inputlookup ip_list | fields ip | rename ip as source_IPs ] | stats count by source_IPs
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
there is only 1 column in ip_list with the name "ip"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the name of the column you want to compare it with in the lookup?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source="/export/home/azubair/Audit_Report" inputlookup ip_list NOT [ | fields source_IPs ]
No output
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not working. What I am trying is
I want to compare my field(source_IPs) with lookup file(ip_list) and generates those IPs from lookup file that are not matched with source_IPs field.
Also, can I trim my desired output by using stats command that will show only IPs
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
