Solved: Check if IP address from search not in list of IP ...

ashishmgupta · ‎08-29-2019

I am still learning Splunk and trying to understand best way to find if IP addresses in my search results are NOT in a list of IP addresses I have like below :
10.34*
10.35*
172.20*
172.21*
172.168*

I put * in the CSV list to cover all IP addresses. for example ..10.34.1.3 is covered by 10.34. 172.212.1.1 is covered by 172.21* etc.
I upload the CSV in the "Lookup table files" as "all_ip.csv"

This is what I started with. How can I make sure "src_ip" is NOT in the list "ip.csv"?
index=myindex src_ip | inputlookup all_ip.csv

Thanks for all the help.

masonmorales · ‎08-29-2019

index=myindex src_ip NOT [inputlookup all_ip.csv]
Assuming the field is named src_ip in the CSV as well. If it's not, you can rename the field by using a | rename after the inputlookup

View solution in original post

masonmorales · ‎08-29-2019

index=myindex src_ip NOT [inputlookup all_ip.csv]
Assuming the field is named src_ip in the CSV as well. If it's not, you can rename the field by using a | rename after the inputlookup

wmyersas · ‎08-29-2019

And make sure the lookup definiton will do CIDR matches

Check if IP address from search not in list of IP address

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?

Check if IP address from search not in list of IP address

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25