We have event having field "ip_client" and have lookup file i.e(F5_IPS_Exclusion.csv) having field "F5_Exclusion_IP" as mentioned below.
LOOKUP
|input lookup F5_IPS_Exclusion.csv
F5_Exclusion_IPS
192.203.194.133
192.203.194.137
202.128.98.209
202.128.98.210
Note: lookup file contains duplicate value too.
Require search query which will return events whose "ip_clent" field value doesn't match with "F5_Exclusion_IPS" field value in lookup file.
"ip_client" is already field in splunk event. we want all event whose "ip_client" field value doesn't match with lookup file field "F5_Exclusion_IPS" value.
<your search> NOT ([|input lookup F5_IPS_Exclusion.csv | rename whatever AS ip_client | table ip_client])
Replace "whatever" with your column name.
HI Rick!
"ip_client" is field in event we want all event whose "ip_client" field value not matches with IP in lookup table file "F5_IPS_Exclusion.csv"
query you have provided is not working for me.
I just want to discard event whose "Ip_client" field matches with IP in lookup table.
Yes, I understand what you want. And this search should do that - the subsearch is effectively expanded to a set of conditions which are then negated so it should give you an exclusion of a set of values.
What do you mean by "is not working"?
it's get resolved.. find solution.
lookup F5_IPS_Exclusion.csv F5_Exclusion_IPS AS ip_client OUTPUT F5_Exclusion_IPS| where isnull(F5_Exclusion_IPS) | table ip_client
it gives all "ip_client" not present in lookup file "F5_IPS_Exclusion.csv"