Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Compare output of a search to a lookup values

gl_splunkuser
Path Finder
‎03-17-2021 02:53 PM

Hello everyone, 

I am trying to compare a list of IPs from a lookup with a output from a search field, and instated of do this, 

| search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16 ...)

I want to have a lookup with the ips ranges and exclude from the results  the ip that matchs with the lookup.

My lookup is like:

ips

13.64.0.0/11
13.96.0.0/13
13.104.0.0/14
....

Really thanks in advance.

 

Labels (3)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-17-2021 09:40 PM

Hi @gl_splunkuser,

You can use the lookup for search; I assume your lookup name is "ips_lookup" and has a field called "ips". Please update these with the correct ones.

| search NOT 
    [| inputlookup ips_lookup 
    | fields ips 
    | rename ips as dest_ip]

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

scelikok
SplunkTrust
SplunkTrust
‎03-17-2021 09:40 PM

Hi @gl_splunkuser,

You can use the lookup for search; I assume your lookup name is "ips_lookup" and has a field called "ips". Please update these with the correct ones.

| search NOT 
    [| inputlookup ips_lookup 
    | fields ips 
    | rename ips as dest_ip]

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
Reply
Get Updates on the Splunk Community!

Automatic Discovery Part 1: What is Automatic Discovery in Splunk Observability Cloud ...

If you’ve ever deployed a new database cluster, spun up a caching layer, or added a load balancer, you know it ...

Real-Time Fraud Detection: How Splunk Dashboards Protect Financial Institutions

Financial fraud isn't slowing down. If anything, it's getting more sophisticated. Account takeovers, credit ...

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...