Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the subsearch excluding inputlookup results?

swengroeneveld
Explorer
‎02-19-2020 10:07 PM

Good morning,

Hope someone can help me out here. I am trying to get a list of IPs where hits are > 100, but I want to exclude an external list that is saved as an inputlookup file. 

index=server site=login
| stats count AS Hits BY ip
| search Hits > 100
NOT [| inputlookup savedfile | fields test_ip | rename test_ip AS ip]

The problem I am facing here is that in both cases (so with removing the last line of the code "NOT [|..") I am getting the same number as with the line while I manually reviewed the result and a few IPs are in the input file as well as on the "base" query.

Also the following did not provide the desired results:

    index=server site=login 
    | stats count AS Hits BY ip
    | search Hits > 100
    | search NOT [ | inputlookup savedfile | fields test_ip | rename test_ip AS ip ]

Thanks for the feedback and thinking in advance,

Tags (2)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-20-2020 06:44 AM

Use lookup command and exclude IPs that are matched. Try this query.

index=server site=login
| stats count AS Hits BY ip
| search Hits > 100
| lookup savedfile test_ip AS ip OUTPUT test_ip 
| where isnull(test_ip)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

manjunathmeti
Champion
‎02-20-2020 06:44 AM

Use lookup command and exclude IPs that are matched. Try this query.

index=server site=login
| stats count AS Hits BY ip
| search Hits > 100
| lookup savedfile test_ip AS ip OUTPUT test_ip 
| where isnull(test_ip)
0 Karma
Reply
Solved! Jump to solution

swengroeneveld
Explorer
‎02-21-2020 01:52 AM

This seems to be working perfectly! Thanks a lot!

0 Karma
Reply
Solved! Jump to solution

morethanyell
Builder
‎02-20-2020 06:06 AM

Not an answer but just curious as to why wouldn't you perform there filtering in the first level search, such as index=server site=login NOT [| inputlookup savedfile | fields test_ip | rename test_ip AS ip] ?

0 Karma
Reply
Solved! Jump to solution

swengroeneveld
Explorer
‎02-21-2020 01:54 AM

Good question, my thinking, and maybe wrongly, is that scripts execute left --> right, top to bottom.

Meaning that if I narrow the search first, the lookup goes quicker.

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...