Splunk Search

Check if IP address from search not in list of IP address

ashishmgupta
Explorer

I am still learning Splunk and trying to understand best way to find if IP addresses in my search results are NOT in a list of IP addresses I have like below :
10.34*
10.35*
172.20*
172.21*
172.168*

I put * in the CSV list to cover all IP addresses. for example ..10.34.1.3 is covered by 10.34. 172.212.1.1 is covered by 172.21* etc.
I upload the CSV in the "Lookup table files" as "all_ip.csv"

This is what I started with. How can I make sure "src_ip" is NOT in the list "ip.csv"?
index=myindex src_ip | inputlookup all_ip.csv

Thanks for all the help.

Tags (2)
0 Karma
1 Solution

masonmorales
Influencer

index=myindex src_ip NOT [inputlookup all_ip.csv]
Assuming the field is named src_ip in the CSV as well. If it's not, you can rename the field by using a | rename after the inputlookup

View solution in original post

masonmorales
Influencer

index=myindex src_ip NOT [inputlookup all_ip.csv]
Assuming the field is named src_ip in the CSV as well. If it's not, you can rename the field by using a | rename after the inputlookup

wmyersas
Builder

And make sure the lookup definiton will do CIDR matches

0 Karma
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...