Solved: Check if IP address from search not in list of IP ...

ashishmgupta · ‎08-29-2019

I am still learning Splunk and trying to understand best way to find if IP addresses in my search results are NOT in a list of IP addresses I have like below :
10.34*
10.35*
172.20*
172.21*
172.168*

I put * in the CSV list to cover all IP addresses. for example ..10.34.1.3 is covered by 10.34. 172.212.1.1 is covered by 172.21* etc.
I upload the CSV in the "Lookup table files" as "all_ip.csv"

This is what I started with. How can I make sure "src_ip" is NOT in the list "ip.csv"?
index=myindex src_ip | inputlookup all_ip.csv

Thanks for all the help.

masonmorales · ‎08-29-2019

index=myindex src_ip NOT [inputlookup all_ip.csv]
Assuming the field is named src_ip in the CSV as well. If it's not, you can rename the field by using a | rename after the inputlookup

View solution in original post

masonmorales · ‎08-29-2019

index=myindex src_ip NOT [inputlookup all_ip.csv]
Assuming the field is named src_ip in the CSV as well. If it's not, you can rename the field by using a | rename after the inputlookup

wmyersas · ‎08-29-2019

And make sure the lookup definiton will do CIDR matches

Check if IP address from search not in list of IP address

Unleash Unified Security and Observability with Splunk Cloud Platform

Splunk AppDynamics with Cisco Secure Application

New Splunk Innovations Enhance Performance and Accelerate Troubleshooting