Solved: Check if IP address from search not in list of IP ...

ashishmgupta · ‎08-29-2019

I am still learning Splunk and trying to understand best way to find if IP addresses in my search results are NOT in a list of IP addresses I have like below :
10.34*
10.35*
172.20*
172.21*
172.168*

I put * in the CSV list to cover all IP addresses. for example ..10.34.1.3 is covered by 10.34. 172.212.1.1 is covered by 172.21* etc.
I upload the CSV in the "Lookup table files" as "all_ip.csv"

This is what I started with. How can I make sure "src_ip" is NOT in the list "ip.csv"?
index=myindex src_ip | inputlookup all_ip.csv

Thanks for all the help.

masonmorales · ‎08-29-2019

index=myindex src_ip NOT [inputlookup all_ip.csv]
Assuming the field is named src_ip in the CSV as well. If it's not, you can rename the field by using a | rename after the inputlookup

View solution in original post

masonmorales · ‎08-29-2019

index=myindex src_ip NOT [inputlookup all_ip.csv]
Assuming the field is named src_ip in the CSV as well. If it's not, you can rename the field by using a | rename after the inputlookup

wmyersas · ‎08-29-2019

And make sure the lookup definiton will do CIDR matches

Check if IP address from search not in list of IP address

Get Inspired! We’ve Got Validation that Your Hard Work is Paying Off

What's New in Splunk Enterprise 9.4: Features to Power Your Digital Resilience

Take Your Breath Away with Splunk Risk-Based Alerting (RBA)