Solved: Re: How to filter specfic result

alexspunkshell · ‎08-04-2021

In my search result, I have the "Description" field.
The Description field contains both texts and 2 IP details.
I want to check both IPs with my lookup table.
If the IPs are not present in the lookup then I need the result. If the IPs are present in my lookup table then I want to filter the result.

Kindly help here.

manjunathmeti · ‎08-04-2021

hi @alexspunkshell,
Use rex to extract IPs and lookup IPs in the lookup table.

| rex field=Description max_match=0 "(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| lookup lookup_table lookup_table_IP_field AS IP OUTPUT lookup_table_IP_field as new_field
| where mvcount(IP)=mvcount(new_field)

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎08-04-2021

hi @alexspunkshell,
Use rex to extract IPs and lookup IPs in the lookup table.

| rex field=Description max_match=0 "(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| lookup lookup_table lookup_table_IP_field AS IP OUTPUT lookup_table_IP_field as new_field
| where mvcount(IP)=mvcount(new_field)

If this reply helps you, a like would be appreciated.

How to filter specfic result

eval

lookup

regex

rex

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases