Splunk Search

check if a field value is in a specific reference set list

horsefez
SplunkTrust
SplunkTrust

Hi,

I have data, which I want to filter based on the IP-addresses that are contained in a .csv file.

For example my events look like:
Event_1 192.168.1.1
Event_2 192.168.1.2
Event_3 192.168.1.3
Event_4 192.168.1.1
Event_5 192.168.1.2
Event_6 192.168.1.3
Event_7 192.168.1.2
Event_8 192.168.1.2
I extracted the IP's as SOURCE_IP

I now want to filter on events, whose SOURCE_IP are contained in the IP_whitelist.csv
IP_whitelist.csv looks like that:
192.168.1.3,
192.168.1.1

Anyone any idea how the search string needs to be assembled?

Thanks in advance!

Tags (2)
0 Karma
1 Solution

asimagu
Builder

You could have a lookup table with your whitelist, then keep only the records that match your lookup

That way you could alter your whitelist file manually without affecting the splunk query

View solution in original post

0 Karma

asimagu
Builder

You could have a lookup table with your whitelist, then keep only the records that match your lookup

That way you could alter your whitelist file manually without affecting the splunk query

0 Karma

horsefez
SplunkTrust
SplunkTrust

Cool, would you be able to help me with my search syntax a bit, I have problems with the lookup

My search looks like
sourcetype=application1 [|inputlookup ip_whitelist | fields whitelistip]
but somehow the search does not return any events... any clues?

Thank you so far!

0 Karma

aholzer
Motivator

@horsefez just rename whitelistip to SOURCE_IP inside your subsearch
sourcetype=application1 [|inputlookup ip_whitelist OUTPUT whitelistip AS SOURCE_IP | fields SOURCE_IP]

Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...