Solved: How to filter specfic result

alexspunkshell · ‎08-04-2021

In my search result, I have the "Description" field.
The Description field contains both texts and 2 IP details.
I want to check both IPs with my lookup table.
If the IPs are not present in the lookup then I need the result. If the IPs are present in my lookup table then I want to filter the result.

Kindly help here.

manjunathmeti · ‎08-04-2021

hi @alexspunkshell,
Use rex to extract IPs and lookup IPs in the lookup table.

| rex field=Description max_match=0 "(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| lookup lookup_table lookup_table_IP_field AS IP OUTPUT lookup_table_IP_field as new_field
| where mvcount(IP)=mvcount(new_field)

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎08-04-2021

hi @alexspunkshell,
Use rex to extract IPs and lookup IPs in the lookup table.

| rex field=Description max_match=0 "(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| lookup lookup_table lookup_table_IP_field AS IP OUTPUT lookup_table_IP_field as new_field
| where mvcount(IP)=mvcount(new_field)

If this reply helps you, a like would be appreciated.

How to filter specfic result

eval

lookup

regex

rex

Dashboards: Hiding charts while search is being executed and other uses for tokens

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

Are you a member of the Splunk Community?