We have a list of Ips in a lookup table and we want to search events that doesn't match with them.
The lookup definition "scanners_lookup" has a field called "Ip_Scanner" and the events in the index we are looking for has another called "source_ip". How do we build the search? We have tried several approachs that don't work.
For instance:
index=my_index | lookup scanners_lookup Ip_Scanner | where source_ip != IP_scanner
Thank you!
Try like this
index=yourindex sourcetype=yourSourcetype [| inputlookup scanners_lookup | table Ip_Scanner | rename Ip_Scanner as source_ip ]