Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- exclude IPs from results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to exclude some IP addresses which are about over 100 in my search.
Seems silly to type NOT NOT NOT.. 100+ times.
source="dbmon-tail://netmanias/splunk_ads_click" NOT "61.247.204.36" NOT "61.247.204.38" NOT "61.247.204.37" NOT "61.247.204.39" NOT "61.247.204.35......"
Is there any good idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes! use a combination of a lookup file and a subsearch.
Put all your IP addresses into CSV file, called "ipAdd.csv" for example with the following contents:
match,ip
1,61.247.204.36
1,61.247.204.38
1,61.247.204.37
1,61.247.204.39
1,61.247.204.35
....
Create a transforms.conf file with the following stanza:
[ipAdd]
filename = ipAdd.csv
Check that Splunk likes this configuration/format by putting the following into a search box (note that the "|" should be the first character):
| inputlookup ipAdd
Assuming this returns the contents of the file, you can construct your search as follows:
source="dbmon-tail://netmanias/splunk_ads_click" NOT [|inputlookup ipAdd | rename ip AS query | fields query]
Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Aboutsubsearches
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources
http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork
Hope this helps,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the IP addresses are in a specific range you could use the CIDR notation like this:
source="dbmon-tail://netmanias/splunk_ads_click" NOT 61.247.204.0/24
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes! use a combination of a lookup file and a subsearch.
Put all your IP addresses into CSV file, called "ipAdd.csv" for example with the following contents:
match,ip
1,61.247.204.36
1,61.247.204.38
1,61.247.204.37
1,61.247.204.39
1,61.247.204.35
....
Create a transforms.conf file with the following stanza:
[ipAdd]
filename = ipAdd.csv
Check that Splunk likes this configuration/format by putting the following into a search box (note that the "|" should be the first character):
| inputlookup ipAdd
Assuming this returns the contents of the file, you can construct your search as follows:
source="dbmon-tail://netmanias/splunk_ads_click" NOT [|inputlookup ipAdd | rename ip AS query | fields query]
Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Aboutsubsearches
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources
http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork
Hope this helps,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much!! I solved it!!
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas
What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)
Automating Threat Operations and Threat Hunting with Recorded Future
