Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter results from Lookup?

alexspunkshell
Contributor
‎06-10-2021 03:30 AM

In my search results, I have multiple results for "Alert" & "UPN"

I want to only include "Alert=Anonymous IP address" for specific 10 "UPN" and other results to ignore.

So I made a lookup table to filter it. However, multiple other "Alert" results are also included in my search results for the "UPN"

Query

........
| lookup Trusted_Anonymizer Alert_UPN as UPN 
| eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No")
| search  Anonymizer_alert=Yes
|table  Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert

Spoiler
Spoiler
........
| lookup Trusted_Anonymizer Alert_UPN as UPN 
| eval Anonymizer_alert=if(Anonymizer_alert="whitelisted_user","Yes","No")
| search  Anonymizer_alert=Yes
|table  Alert_Titles, UPN, MFAStatus, count, Anonymizer_alert



 

 

alexspunkshell_0-1623320425575.png

alexspunkshell_1-1623320545494.png

alexspunkshell_2-1623320621082.png

 

@scelikok @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana   @to4kawa @woodcock 

 

Labels (3)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎06-11-2021 06:41 AM

The data and lookup samples are not obvious, so I am not sure.

 

alert="Anonymous IP address" | lookup ....

I suppose the order is this.

 

View solution in original post

Reply
Solved! Jump to solution
Solution

to4kawa
Ultra Champion
‎06-11-2021 06:41 AM

The data and lookup samples are not obvious, so I am not sure.

 

alert="Anonymous IP address" | lookup ....

I suppose the order is this.

 

Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...