Splunk Search

Why doesn't event one field value not match with lookup file field value?

Abhineet
Loves-to-Learn Everything

We have event having field "ip_client" and have lookup file i.e(F5_IPS_Exclusion.csv) having field "F5_Exclusion_IP" as mentioned below.

LOOKUP

|input lookup F5_IPS_Exclusion.csv

F5_Exclusion_IPS
192.203.194.133
192.203.194.137
202.128.98.209
202.128.98.210

Note: lookup file contains duplicate value too.

Require search query which will return events whose "ip_clent" field value doesn't match with "F5_Exclusion_IPS" field value in lookup file.

Labels (1)
0 Karma

Abhineet
Loves-to-Learn Everything

"ip_client" is already field in splunk event. we want all event whose "ip_client" field value doesn't match with lookup file field "F5_Exclusion_IPS" value.

 

 

0 Karma

PickleRick
SplunkTrust
SplunkTrust
<your search> NOT ([|input lookup F5_IPS_Exclusion.csv | rename whatever AS ip_client | table ip_client])

Replace "whatever" with your column name.

0 Karma

Abhineet
Loves-to-Learn Everything

HI Rick!

"ip_client" is field in event we want all event whose "ip_client" field value not matches with IP in lookup table file "F5_IPS_Exclusion.csv"

query you have provided is not working for me.

I just want to discard event whose "Ip_client" field matches with IP in lookup table.

0 Karma

PickleRick
SplunkTrust
SplunkTrust

Yes, I understand what you want. And this search should do that - the subsearch is effectively expanded to a set of conditions which are then negated so it should give you an exclusion of a set of values.

What do you mean by "is not working"?

0 Karma

Abhineet
Loves-to-Learn Everything

it's get resolved.. find solution.

 lookup F5_IPS_Exclusion.csv F5_Exclusion_IPS AS ip_client OUTPUT F5_Exclusion_IPS| where isnull(F5_Exclusion_IPS) | table ip_client

it gives all "ip_client" not present in lookup file "F5_IPS_Exclusion.csv"

 

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...