Solved: How to filter specfic result

alexspunkshell · ‎08-04-2021

In my search result, I have the "Description" field.
The Description field contains both texts and 2 IP details.
I want to check both IPs with my lookup table.
If the IPs are not present in the lookup then I need the result. If the IPs are present in my lookup table then I want to filter the result.

Kindly help here.

manjunathmeti · ‎08-04-2021

hi @alexspunkshell,
Use rex to extract IPs and lookup IPs in the lookup table.

| rex field=Description max_match=0 "(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| lookup lookup_table lookup_table_IP_field AS IP OUTPUT lookup_table_IP_field as new_field
| where mvcount(IP)=mvcount(new_field)

If this reply helps you, a like would be appreciated.

View solution in original post

manjunathmeti · ‎08-04-2021

hi @alexspunkshell,
Use rex to extract IPs and lookup IPs in the lookup table.

| rex field=Description max_match=0 "(?<IP>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})" 
| lookup lookup_table lookup_table_IP_field AS IP OUTPUT lookup_table_IP_field as new_field
| where mvcount(IP)=mvcount(new_field)

If this reply helps you, a like would be appreciated.

How to filter specfic result

eval

lookup

regex

rex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Announcing Modern Navigation: A New Era of Splunk User Experience

Detection Engineering Office Hours: Real-World Troubleshooting & Q&A

Developer Spotlight with Mika Borner

Join the Conversation