Splunk Search

Exclude WhiteList IP from results

staymini
Engager

I want to exclude the IP in the lookup file from the search results.

  1. I have defined a lookup file that contains WhiteList IP.

    • The contents of Lookup File are 1.1.1.1
  2. I looked it up using the following query.
    Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
    Result : 2.2.2.2 3.3.3.3
    It was successful !!

I tried next.
Query : index=fw 2.2.2.2 | table wIP | outputlookup whitelist append=t
Result : 2.2.2.2

I have confirmed that 2.2.2.2 has been added to the lookup file.
Query : | inputlookup whitelist
Result : 1.1.1.1 2.2.2.2

Next Search
Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
Result : 2.2.2.2 3.3.3.3

2.2.2.2 is not excluded !!!

Please let me know why.

What should I do?

0 Karma
1 Solution

tiagofbmm
Influencer

Hey

You can try using the return command to include or exclude the IPs in the whitelist lookup

Include

index=fw 
[ | inputlookup whitelist | fields ip | return 10000 $ip]

Exclude

index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])

View solution in original post

tiagofbmm
Influencer

Hey

You can try using the return command to include or exclude the IPs in the whitelist lookup

Include

index=fw 
[ | inputlookup whitelist | fields ip | return 10000 $ip]

Exclude

index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])

View solution in original post

staymini
Engager

Wow!!! I did not know this way!!!
Thank you very much.
I want you to be filled with good things.

0 Karma
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.