Splunk Search

Compare output of a search to a lookup values

gl_splunkuser
Path Finder

Hello everyone, 

I am trying to compare a list of IPs from a lookup with a output from a search field, and instated of do this, 

| search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16 ...)

I want to have a lookup with the ips ranges and exclude from the results  the ip that matchs with the lookup.

My lookup is like:

ips

13.64.0.0/11
13.96.0.0/13
13.104.0.0/14
....

Really thanks in advance.

 

Labels (3)
Tags (1)
0 Karma
1 Solution

scelikok
Champion

Hi @gl_splunkuser,

You can use the lookup for search; I assume your lookup name is "ips_lookup" and has a field called "ips". Please update these with the correct ones.

| search NOT 
    [| inputlookup ips_lookup 
    | fields ips 
    | rename ips as dest_ip]

 

If this reply helps you an upvote is appreciated.

View solution in original post

scelikok
Champion

Hi @gl_splunkuser,

You can use the lookup for search; I assume your lookup name is "ips_lookup" and has a field called "ips". Please update these with the correct ones.

| search NOT 
    [| inputlookup ips_lookup 
    | fields ips 
    | rename ips as dest_ip]

 

If this reply helps you an upvote is appreciated.

View solution in original post

.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!