Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter results from Lookup?

alexspunkshell
Contributor
‎06-10-2021 03:30 AM

In my search results, I have multiple results for "Alert" & "UPN"

I want to only include "Alert=Anonymous IP address" for specific 10 "UPN" and other results to ignore.

So I made a lookup table to filter it. However, multiple other "Alert" results are also included in my search results for the "UPN"

Query

........
| lookup Trusted_Anonymizer Alert_UPN as UPN 
| eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No")
| search  Anonymizer_alert=Yes
|table  Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert

Spoiler
Spoiler
........
| lookup Trusted_Anonymizer Alert_UPN as UPN 
| eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No")
| search  Anonymizer_alert=Yes
|table  Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert



 

 

alexspunkshell_0-1623320425575.png

alexspunkshell_1-1623320545494.png

alexspunkshell_2-1623320621082.png

 

@scelikok @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana   @to4kawa @woodcock 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎06-11-2021 06:41 AM

The data and lookup samples are not obvious, so I am not sure.

 

alert="Anonymous IP address" | lookup ....

I suppose the order is this.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎06-11-2021 06:41 AM

The data and lookup samples are not obvious, so I am not sure.

 

alert="Anonymous IP address" | lookup ....

I suppose the order is this.

 

Reply
Get Updates on the Splunk Community!

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

  🚀 Your data just got a serious AI upgrade — are you ready? Say hello to the Agentic Era with the ...

Feel the Splunk Love: Real Stories from Real Customers

Hello Splunk Community,    What’s the best part of hearing how our customers use Splunk? Easy: the positive ...

Data Management Digest – November 2025

  Welcome to the inaugural edition of Data Management Digest! As your trusted partner in data innovation, the ...