Splunk Search
Highlighted

Best Way to search using a lookup table?

Explorer

I'm running a search across a bunch of data, say syslogs, that has a lot of different source_IPs.

I make a lookup table of name [ip_list]

src_ip
10.10.10.1
10.10.10.2
10.10.10.3

What is the best way to search across all of my data and ONLY show items from lookup tables that are NOT match with field

Tags (2)
0 Karma
Highlighted

Re: Best Way to search using a lookup table?

Influencer
<search terms> NOT [ | inputlookup <your lookup> ]

eg.

* NOT [ | inputlookup ip_list ]

To inspect which search string is generated by the subsearch, you can execute

| inputlookup ip_list | format

View solution in original post

Highlighted

Re: Best Way to search using a lookup table?

Explorer

Not working. What I am trying is

I want to compare my field(sourceIPs) with lookup file(iplist) and generates those IPs from lookup file that are not matched with source_IPs field.

Also, can I trim my desired output by using stats command that will show only IPs

0 Karma
Highlighted

Re: Best Way to search using a lookup table?

Explorer

source="/export/home/azubair/AuditReport" inputlookup iplist NOT [ | fields source_IPs ]

No output

0 Karma
Highlighted

Re: Best Way to search using a lookup table?

Influencer

What is the name of the column you want to compare it with in the lookup?

0 Karma
Highlighted

Re: Best Way to search using a lookup table?

Explorer

there is only 1 column in ip_list with the name "ip"

0 Karma
Highlighted

Re: Best Way to search using a lookup table?

Influencer

source="/export/home/azubair/AuditReport" NOT [ | inputlookup iplist | fields ip | rename ip as sourceIPs ] | stats count by sourceIPs

0 Karma
Highlighted

Re: Best Way to search using a lookup table?

Explorer

thanks man. It shows ips of the field sourceIPs that are not matched with my lookup table.
I want the other way round, means want IPs from my lookup table that are not matched with field source
IPs

0 Karma
Highlighted

Re: Best Way to search using a lookup table?

Influencer

Ah, I get it 😉 Here you go:

| inputlookup iplist | fields ip | rename ip as sourceIPs | search NOT [ search source="/export/home/azubair/AuditReport" | dedup sourceIPs | fields source_IPs ]

0 Karma
Highlighted

Re: Best Way to search using a lookup table?

Explorer

thanks man, run with the flow.
just for knowledge,your previous command worked well by showing all events without "|stats count by source_IPs" but when we append stats it process 14% of my file and display no results. Is stats command take too much processing??

source="/export/home/azubair/AuditReport" NOT [ | inputlookup iplist | fields ip | rename ip as sourceIPs ] | stats count by sourceIPs

0 Karma