Splunk Search

Exclude WhiteList IP from results

staymini
Explorer

I want to exclude the IP in the lookup file from the search results.

  1. I have defined a lookup file that contains WhiteList IP.

    • The contents of Lookup File are 1.1.1.1
  2. I looked it up using the following query.
    Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
    Result : 2.2.2.2 3.3.3.3
    It was successful !!

I tried next.
Query : index=fw 2.2.2.2 | table wIP | outputlookup whitelist append=t
Result : 2.2.2.2

I have confirmed that 2.2.2.2 has been added to the lookup file.
Query : | inputlookup whitelist
Result : 1.1.1.1 2.2.2.2

Next Search
Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
Result : 2.2.2.2 3.3.3.3

2.2.2.2 is not excluded !!!

Please let me know why.

What should I do?

0 Karma
1 Solution

tiagofbmm
Influencer

Hey

You can try using the return command to include or exclude the IPs in the whitelist lookup

Include

index=fw 
[ | inputlookup whitelist | fields ip | return 10000 $ip]

Exclude

index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])

View solution in original post

tiagofbmm
Influencer

Hey

You can try using the return command to include or exclude the IPs in the whitelist lookup

Include

index=fw 
[ | inputlookup whitelist | fields ip | return 10000 $ip]

Exclude

index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])

staymini
Explorer

Wow!!! I did not know this way!!!
Thank you very much.
I want you to be filled with good things.

0 Karma
Get Updates on the Splunk Community!

Set Up More Secure Configurations in Splunk Enterprise With Config Assist

This blog post is part 3 of 4 of a series on Splunk Assist. Click the links below to see the other ...

Observability Highlights | November 2022 Newsletter

 November 2022Observability CloudEnd Of Support Extension for SignalFx Smart AgentSplunk is extending the End ...

Enterprise Security Content Update (ESCU) v3.54.0

The Splunk Threat Research Team (STRT) recently released Enterprise Security Content Update (ESCU) v3.54.0 and ...