Solved: Exclude WhiteList IP from results

staymini · ‎03-25-2018

I want to exclude the IP in the lookup file from the search results.

I have defined a lookup file that contains WhiteList IP.
- The contents of Lookup File are 1.1.1.1
I looked it up using the following query.
Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
Result : 2.2.2.2 3.3.3.3
It was successful !!

I tried next.
Query : index=fw 2.2.2.2 | table wIP | outputlookup whitelist append=t
Result : 2.2.2.2

I have confirmed that 2.2.2.2 has been added to the lookup file.
Query : | inputlookup whitelist
Result : 1.1.1.1 2.2.2.2

Next Search
Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
Result : 2.2.2.2 3.3.3.3

2.2.2.2 is not excluded !!!

Please let me know why.

What should I do?

tiagofbmm · ‎03-25-2018

Hey

You can try using the return command to include or exclude the IPs in the whitelist lookup

Include

index=fw 
[ | inputlookup whitelist | fields ip | return 10000 $ip]

Exclude

index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])

tiagofbmm · ‎03-25-2018

Hey

You can try using the return command to include or exclude the IPs in the whitelist lookup

Include

index=fw 
[ | inputlookup whitelist | fields ip | return 10000 $ip]

Exclude

index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])

staymini · ‎03-25-2018

Wow!!! I did not know this way!!!
Thank you very much.
I want you to be filled with good things.

Exclude WhiteList IP from results