Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude traffic with src_ip or dest_ip using lookup file

imst27
Loves-to-Learn
‎09-22-2025 10:30 PM

Hi,

I’m building a search on the Network_Traffic datamodel to detect high outbound flows (>1 GB).
I need to exclude a list of known backup / AWS ranges, and the exclusion should apply if either src_ip or dest_ip matches any of them.

Right now my query looks like this (shortened for readability):

| tstats `security_content_summariesonly`
    sum(All_Traffic.bytes_out) as bytes_out
  from datamodel=Network_Traffic
  where All_Traffic.action=allowed
  by All_Traffic.src_ip All_Traffic.dest_ip _time span=1d
| `drop_dm_object_name("All_Traffic")`
| where bytes_out > 1073741824
| where NOT (
    cidrmatch("<internal_backup_subnet>/24", src_ip) OR cidrmatch("<internal_backup_subnet>/24", dest_ip)
 OR cidrmatch("<external_backup_subnet>/24", src_ip) OR cidrmatch("<external_backup_subnet>/24", dest_ip)
 … etc …
)
| table _time src_ip src_port dest_ip dest_port transport app vlan bytes_gb dvc rule action user dest_interface src_interface direction src_zone dest_zone
 

This works, but the WHERE NOT block is huge (I’ve got 40+ CIDRs).

I tried to utilized inputlookup and lookup file but failed, the lookup file backup-subnet-test.csv structure are as follow

subnetcomment
<subnet>/28comment1
<subnet>/20comment2
<subnet>/32comment3
 
Question
  • Is it possible to use a lookup file for this case? I want to use the lookup file (backup-subnet-test.csv) to exclude traffic if either src_ip or dest_ip matches a subnet in the lookup.
  • Or is there a cleaner way to apply the CIDR lookup once against both fields?

Thanks a lot in advance!

Labels (3)
Labels
0 Karma
Reply

PrewinThomas
Motivator
‎09-22-2025 11:36 PM

@imst27 

Yes the lookup approach is much better. Its better to simplify giant cidrmatch() block into two clean lookup calls, one for src_ip and one for dest_ip.

Eg:

| lookup backup_subnets subnet as src_ip OUTPUT comment as src_match
| lookup backup_subnets subnet as dest_ip OUTPUT comment as dest_match
| where isnull(src_match) AND isnull(dest_match)
| table _time src_ip dest_ip src_match dest_match

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...