- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have data, which I want to filter based on the IP-addresses that are contained in a .csv file.
For example my events look like:
Event_1 192.168.1.1
Event_2 192.168.1.2
Event_3 192.168.1.3
Event_4 192.168.1.1
Event_5 192.168.1.2
Event_6 192.168.1.3
Event_7 192.168.1.2
Event_8 192.168.1.2
I extracted the IP's as SOURCE_IP
I now want to filter on events, whose SOURCE_IP are contained in the IP_whitelist.csv
IP_whitelist.csv looks like that:
192.168.1.3,
192.168.1.1
Anyone any idea how the search string needs to be assembled?
Thanks in advance!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could have a lookup table with your whitelist, then keep only the records that match your lookup
That way you could alter your whitelist file manually without affecting the splunk query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could have a lookup table with your whitelist, then keep only the records that match your lookup
That way you could alter your whitelist file manually without affecting the splunk query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Cool, would you be able to help me with my search syntax a bit, I have problems with the lookup
My search looks like
sourcetype=application1 [|inputlookup ip_whitelist | fields whitelistip]
but somehow the search does not return any events... any clues?
Thank you so far!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@horsefez just rename whitelistip to SOURCE_IP inside your subsearch
sourcetype=application1 [|inputlookup ip_whitelist OUTPUT whitelistip AS SOURCE_IP | fields SOURCE_IP]
data:image/s3,"s3://crabby-images/a266d/a266d0c80c12793a952b209c17cc3de41b17fc89" alt=""