Splunk Search

exclude IPs from results

hylee
Explorer

Hi,
I want to exclude some IP addresses which are about over 100 in my search.
Seems silly to type NOT NOT NOT.. 100+ times.

source="dbmon-tail://netmanias/splunk_ads_click" NOT "61.247.204.36" NOT "61.247.204.38" NOT "61.247.204.37" NOT "61.247.204.39" NOT "61.247.204.35......"

Is there any good idea?

Tags (3)
0 Karma
1 Solution

MHibbin
Influencer

yes! use a combination of a lookup file and a subsearch.

Put all your IP addresses into CSV file, called "ipAdd.csv" for example with the following contents:

match,ip
1,61.247.204.36
1,61.247.204.38
1,61.247.204.37
1,61.247.204.39
1,61.247.204.35
....

Create a transforms.conf file with the following stanza:

[ipAdd]
filename = ipAdd.csv

Check that Splunk likes this configuration/format by putting the following into a search box (note that the "|" should be the first character):

| inputlookup ipAdd

Assuming this returns the contents of the file, you can construct your search as follows:

source="dbmon-tail://netmanias/splunk_ads_click" NOT [|inputlookup ipAdd | rename ip AS query | fields query]

Ref:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Aboutsubsearches
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources
http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork

Hope this helps,

View solution in original post

peter_krammer
Communicator

If the IP addresses are in a specific range you could use the CIDR notation like this:
source="dbmon-tail://netmanias/splunk_ads_click" NOT 61.247.204.0/24

0 Karma

MHibbin
Influencer

yes! use a combination of a lookup file and a subsearch.

Put all your IP addresses into CSV file, called "ipAdd.csv" for example with the following contents:

match,ip
1,61.247.204.36
1,61.247.204.38
1,61.247.204.37
1,61.247.204.39
1,61.247.204.35
....

Create a transforms.conf file with the following stanza:

[ipAdd]
filename = ipAdd.csv

Check that Splunk likes this configuration/format by putting the following into a search box (note that the "|" should be the first character):

| inputlookup ipAdd

Assuming this returns the contents of the file, you can construct your search as follows:

source="dbmon-tail://netmanias/splunk_ads_click" NOT [|inputlookup ipAdd | rename ip AS query | fields query]

Ref:

http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Aboutsubsearches
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources
http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork

Hope this helps,

hylee
Explorer

Thank you so much!! I solved it!!

0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...