How can I group IP addresses together to exclude t...

wraithman2222 · ‎10-12-2018

Hello,

I'm new to Splunk and I was just wondering: how can I group IP addresses together to exclude them from my searches?

I'm using the src_ip!="xxx.xxx.xxx.xxx" for all of the IPs I want excluded from the search, but it's not even working anymore as the excluded IPs are still showing up in my results for some reason. There must be a more efficient way to do this right?

I know I have to do something with Lookup tables but I'm not too sure where to begin.

Thank you in advance !

nilbak1 · ‎10-13-2018

Hi @wraithman2222
yes, you are right you can use lookup csv file here to exclude the ips.
First, create and upload the csv file.
Then use your search query as below.

   Search Query NOT[ inputlookup your_lookup.csv]

It should work!.

Vijeta · ‎10-12-2018

If you are hard coding in your query you can use, else store them in a look up and use it in your query to ignore the IP from lookup using a subsearch

src_ip NOT IN("xxx.xxx.xxx.xxx","xxx.xxx.xxx.xxx","xxx.xxx.xxx.xxx"....)

How can I group IP addresses together to exclude them from my searches?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers

Are you a member of the Splunk Community?

How can I group IP addresses together to exclude them from my searches?

Index This | Why did the turkey cross the road?

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Feel the Splunk Love: Real Stories from Real Customers