Splunk Search

How to use a lookup table field to discard events?

JoserraRodrigo
New Member

We have a list of Ips in a lookup table and we want to search events that doesn't match with them.

The lookup definition "scanners_lookup" has a field called "Ip_Scanner" and the events in the index we are looking for has another called "source_ip". How do we build the search? We have tried several approachs that don't work.

For instance:

index=my_index | lookup scanners_lookup  Ip_Scanner | where source_ip != IP_scanner

Thank you!

Labels (1)
0 Karma

somesoni2
Revered Legend

Try like this

index=yourindex sourcetype=yourSourcetype [| inputlookup scanners_lookup | table Ip_Scanner | rename Ip_Scanner as source_ip ]
0 Karma
Get Updates on the Splunk Community!

Splunk Smartness with Brandon Sternfield | Episode 3

Hello and welcome to another episode of "Splunk Smartness," the interview series where we explore the power of ...

Monitoring Postgres with OpenTelemetry

Behind every business-critical application, you’ll find databases. These behind-the-scenes stores power ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...