Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Most efficient way to exclude two fields from a lookup

jacqu3sy
Path Finder
‎05-21-2018 06:48 AM

Hi,

Whats the most efficient way to use a lookup table within a query to exclude results where 2 fields exist, i.e. a source IP address AND a destination port? so we only exclude results where BOTH fields are seen within the the same event. The source to a different port should still appear in the results.

I'm thinking maybe a join from the base search to the lookup with a type=outer might accomplish the same as a AND NOT?

Or would there be a better more efficient way to accomplish this?

Thanks in advance!

Tags (1)
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-21-2018 08:19 AM

index=aindex NOT [| inputlookup yourlookup.csv | fields src_ip dst_port | format ]

0 Karma
Reply

somesoni2
Revered Legend
‎05-21-2018 08:19 AM

Assuming your lookup table has fields src_ip and dest_port and fields with same names exist in your data, and number of rows in your lookups are less than 10K, this would be the best method to filter your logs:-

index=foo sourcetype=bar..your base search criteria..  NOT [| inputlookup yourLookupTable.csv | table src_ip dest_port | format ]

The subsearch would add filters in the format NOT ((dest_port="port1" AND src_ip="ip1") OR (dest_port="port2" AND src_ip="ip2").., so it'll only exclude events which has both the dest_port and src_ip combination value in them, all others will not be filtered.

0 Karma
Reply

jacqu3sy
Path Finder
‎05-21-2018 11:37 PM

Perfect. Thanks somesoni2.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎05-21-2018 08:21 AM

Everybody now!

0 Karma
Reply

muebel
SplunkTrust
SplunkTrust
‎05-21-2018 08:18 AM

so, you can use lookups to exclude events based on those events having fields that match some value in the lookup, i.e.

basesearch-that-has-port | lookup exclusionList port OUTPUTNEW port as isFound | where isnull(isfound)

You could do additionally lookups for other fields if you are looking at IP as well

basesearch-that-has-port | lookup exclusionList port OUTPUTNEW port as portIsFound | lookup exclusionList ip OUTPUTNEW port as ipIsFound |  where isnull(portIsfound) AND isnull(ipIsFound)

Please let me know if this answers your question!

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎05-21-2018 07:30 AM

It's not clear what you're trying to do. You say you want to exclude events with certain fields, but you also want those fields in your results. Please share some sample events and an example of your desired results.

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

jacqu3sy
Path Finder
‎05-21-2018 07:56 AM

I cant share the sample data. But the idea is to bring back all source devices going to certain destinations. BUT exclude known traffic (taken from the lookup file).

i.e. a known exchange server on port 25. If it's not an exchange server going to port 25 then I'd want to know about it.

So basically use the lookup for known traffic that is expected, and exclude these from the results.

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...