Splunk Search

Why is the subsearch excluding inputlookup results?

swengroeneveld
Explorer

Good morning,

Hope someone can help me out here. I am trying to get a list of IPs where hits are > 100, but I want to exclude an external list that is saved as an inputlookup file.

index=server site=login
| stats count AS Hits BY ip
| search Hits > 100
NOT [| inputlookup savedfile | fields test_ip | rename test_ip AS ip]

The problem I am facing here is that in both cases (so with removing the last line of the code "NOT [|..") I am getting the same number as with the line while I manually reviewed the result and a few IPs are in the input file as well as on the "base" query.

Also the following did not provide the desired results:

    index=server site=login 
    | stats count AS Hits BY ip
    | search Hits > 100
    | search NOT [ | inputlookup savedfile | fields test_ip | rename test_ip AS ip ]

Thanks for the feedback and thinking in advance,

Tags (2)
0 Karma
1 Solution

manjunathmeti
Champion

Use lookup command and exclude IPs that are matched. Try this query.

index=server site=login
| stats count AS Hits BY ip
| search Hits > 100
| lookup savedfile test_ip AS ip OUTPUT test_ip 
| where isnull(test_ip)

View solution in original post

0 Karma

manjunathmeti
Champion

Use lookup command and exclude IPs that are matched. Try this query.

index=server site=login
| stats count AS Hits BY ip
| search Hits > 100
| lookup savedfile test_ip AS ip OUTPUT test_ip 
| where isnull(test_ip)
0 Karma

swengroeneveld
Explorer

This seems to be working perfectly! Thanks a lot!

0 Karma

morethanyell
Builder

Not an answer but just curious as to why wouldn't you perform there filtering in the first level search, such as index=server site=login NOT [| inputlookup savedfile | fields test_ip | rename test_ip AS ip] ?

0 Karma

swengroeneveld
Explorer

Good question, my thinking, and maybe wrongly, is that scripts execute left --> right, top to bottom.

Meaning that if I narrow the search first, the lookup goes quicker.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...