I want to exclude the IP in the lookup file from the search results.
I have defined a lookup file that contains WhiteList IP.
I looked it up using the following query.
Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
Result : 2.2.2.2 3.3.3.3
It was successful !!
I tried next.
Query : index=fw 2.2.2.2 | table wIP | outputlookup whitelist append=t
Result : 2.2.2.2
I have confirmed that 2.2.2.2 has been added to the lookup file.
Query : | inputlookup whitelist
Result : 1.1.1.1 2.2.2.2
Next Search
Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
Result : 2.2.2.2 3.3.3.3
2.2.2.2 is not excluded !!!
Please let me know why.
What should I do?
Hey
You can try using the return command to include or exclude the IPs in the whitelist lookup
Include
index=fw
[ | inputlookup whitelist | fields ip | return 10000 $ip]
Exclude
index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])
Hey
You can try using the return command to include or exclude the IPs in the whitelist lookup
Include
index=fw
[ | inputlookup whitelist | fields ip | return 10000 $ip]
Exclude
index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])
Wow!!! I did not know this way!!!
Thank you very much.
I want you to be filled with good things.