Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Lookup Table Comparison with field and to return field value that is not in the lookup

peetchow
Loves-to-Learn Lots
‎12-11-2020 11:18 AM

All,

I know there are a lot of postings with answers on lookup tables but I am still stuck.  I have not splunked in a few years and i hit a wall even when looking back at some of my old saved strings.

I have a csv file that has 2 columns.  One that contains IPAddress and the other that has SubnetMasks

I am searching in my logs for IPAdresses that i want to compare with the IPAddresses that are in the lookup csv file.  if the IPAddresses are not found ... then display them in a table.

MY query is as follows:

index=blah  field3="*" | fields field3 field4 | dedup field3 | rename field3 as Source_IP | lookup ip_whitelist IPAddress AS Source_IP | eval InWhitelist="Yes" | table Source_IP IPAddress field4 InWhitelist | where InWhitelist="Yes" | sort -Source_IP

  • where field3 is the field with the IP Addresses (extracted from delimited extractions)
  • where field4 is the field that has the hostname

This spits out a nice table but i notice IPs that are not in my whitelist are showing up.

What is wrong here !? 

Your help is greatly appreciated ! 

Thanks

P

Labels (1)
Labels
0 Karma
Reply

peetchow
Loves-to-Learn Lots
‎12-30-2020 02:48 PM

Sadly it did not work, any IP i put in for field3 (whether in the whitelist or not) displayed in a table with value of "Yes" for InWhitelist 

Also field4 that holds the hostname does not carry over to the table 

 

0 Karma
Reply

saravanan90
Contributor
‎12-19-2020 11:19 AM

This may help...

Below will search in the lookup and pull the results when the ip is not available in lookup.

| makeresults | eval field3="192.168.1.6", field4="hostname" | fields field3 field4 | dedup field3 | rename field3 as Source_IP | lookup ip_whitelist  IPAddresses AS Source_IP | eval InWhitelist=if(isnull(SubnetMasks),"Yes","No") | table Source_IP field4 InWhitelist SubnetMasks | where InWhitelist="Yes"

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...