- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- NOT Inputlookup not working
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
NOT Inputlookup not working
I am trying to perform a search and trying to add an inputlookup to filter information I don't need to know about. For example if I run the following query
index=firewall NOT [|inputlookup agent-inclusion-knownapps
| where NOT cidrmatch("x.x.x.x/x",dest_ip) AND NOT cidrmatch("y.y.y.y/y",dest_ip)
| fields agent]
| stats count by agent
| sort -count
This produces a result and the logs filter correctly (proved by removing NOT and only seeing the entries from the inputlookup; and adding the NOT and not seeing the entries from the inputlookup).
However if I then try to extend my query with the following it no longer filters and I am not sure where I have gone wrong. The query is as follows:
index=firewall "destination network"=external NOT(action=blocked) NOT [|inputlookup agent-inclusion-knownapps | where NOT cidrmatch("x.x.x.x/x",dest_ip) AND NOT cidrmatch("y.y.y.y/y",dest_ip)
| fields agent]
| stats count by agent username src dest dest_port rule action
| sort -count
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the search sentence is not wrong.
Please check the search sentence in the search log of the INSPECT JOB to see if it is the intended search sentence.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The inclusion file for reference purposes is configured as:
agent
"applicationx.exe"
The file permissions are correct and the lookup is a tabled definition referencing the csv file.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@ willadams
So your saying, by adding the below code your query is not working.
If that is the scenario give a try like this.
I'm not sure it will work, but this is my suggestion..
"destination network"=external NOT(action=blocked)
"destination network" --> I believe this is a value.
external --> I Hope this is a field
try this
Index=***
"destination network"=external NOT action IN("blocked")
If "destination network" is a filed then try this
Index=***
| rename "destination network" as destination_network
destination_network=external NOT action IN("blocked")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Even if I omit the "destination network" the results still end up the same. For example if I run this
index=firewall NOT [|inputlookup agent-inclusion-knownapps | where NOT cidrmatch("x.x.x.x/x",dest_ip) AND NOT cidrmatch("y.y.y.y/y",dest_ip)
| fields agent]
| stats count by agent username src dest dest_port rule action
| sort -count
However I did try and remove the NOT from just before " [|inputlookup" and found that I am only getting 1 result. It looks as though SPLUNK is not referencing my lookup properly.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For example my lookup file shows as (ignore the *)
agent
"application1.exe"
"application2.exe"
"application3.exe"
"application11.exe"
"application22.exe"
"application33.exe"
If I look at the data currently being referenced I get "application1.exe" and cannot see application2.exe; application3.exe etc. it only references application1.exe
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
