Re: Finding ip's not in a inputlookup

realtimetechnol · ‎07-08-2020

Hi All,

I appreciate that there are tons of answers on this but I am having issues getting it to work!

I have a csv named known-ip-addresses.csv it contains the same fields as those in the indexed data eventName, src, "user.Identity.arn" in exactly the same case and separated. The inputlookup works ok and I can search against values. I have not created a lookup definition

In the indexed data we have a sourcetype with the same fields, I am trying to find any ip's (src field) that are not in the inputlookup.

sourcetype=aws:cloudtrail eventName=ConsoleLogin NOT [inputlookup known-ip-addresses.csv | fields eventName, src, "user.Identity.arn" ]

The result is that I am getting a mix of addresses that are in the csv as well as those that are not.

Can anyone point me in the right direction?

Thanks in advance.

richgalloway · ‎07-08-2020

Run this search

inputlookup known-ip-addresses.csv 
| fields eventName, src, "user.Identity.arn" 
| format

to see what is being returned from the subsearch. Tweak the subsearch, and perhaps also the options to format, to get results that match your index.

---
If this reply helps you, Karma would be appreciated.

Finding ip's not in a inputlookup

subsearch

Can’t make it to .conf25? Join us online!

Community Content Calendar, September edition

Splunkbase Unveils New App Listing Management Public Preview

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Are you a member of the Splunk Community?