Splunk Search

Why is the subsearch excluding inputlookup results?

swengroeneveld
Explorer

Good morning,

Hope someone can help me out here. I am trying to get a list of IPs where hits are > 100, but I want to exclude an external list that is saved as an inputlookup file.

index=server site=login
| stats count AS Hits BY ip
| search Hits > 100
NOT [| inputlookup savedfile | fields test_ip | rename test_ip AS ip]

The problem I am facing here is that in both cases (so with removing the last line of the code "NOT [|..") I am getting the same number as with the line while I manually reviewed the result and a few IPs are in the input file as well as on the "base" query.

Also the following did not provide the desired results:

    index=server site=login 
    | stats count AS Hits BY ip
    | search Hits > 100
    | search NOT [ | inputlookup savedfile | fields test_ip | rename test_ip AS ip ]

Thanks for the feedback and thinking in advance,

Tags (2)
0 Karma
1 Solution

manjunathmeti
Champion

Use lookup command and exclude IPs that are matched. Try this query.

index=server site=login
| stats count AS Hits BY ip
| search Hits > 100
| lookup savedfile test_ip AS ip OUTPUT test_ip 
| where isnull(test_ip)

View solution in original post

0 Karma

manjunathmeti
Champion

Use lookup command and exclude IPs that are matched. Try this query.

index=server site=login
| stats count AS Hits BY ip
| search Hits > 100
| lookup savedfile test_ip AS ip OUTPUT test_ip 
| where isnull(test_ip)
0 Karma

swengroeneveld
Explorer

This seems to be working perfectly! Thanks a lot!

0 Karma

morethanyell
Builder

Not an answer but just curious as to why wouldn't you perform there filtering in the first level search, such as index=server site=login NOT [| inputlookup savedfile | fields test_ip | rename test_ip AS ip] ?

0 Karma

swengroeneveld
Explorer

Good question, my thinking, and maybe wrongly, is that scripts execute left --> right, top to bottom.

Meaning that if I narrow the search first, the lookup goes quicker.

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...