Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

inputlookup

timgmanCORP
Observer
‎08-14-2024 12:15 PM

I have a csv with ip addresses. I would like to conduct a search for addresses that are NOT listed in that csv. 

I was attempting the following but it does not render the results I was expecting. I want to search for ip addresses that are not in that list.           IE: unknown address... 

Splunk Enterprise Security 

index=myindex
| rex "(?<ip>\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)" | sort ip | table ip NOT [inputlookup known_addresses.csv]
Labels (2)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎08-14-2024 11:09 PM

inputlookup is the wrong approach to finding events that do not have a match. (Unless you don't have a choice, or if it is applicable in index search, inputlookup is usually wrong.)  lookup command is way more efficient.

index=myindex
| rex "(?<ip>\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)"
| lookup known_addresses.csv ip output ip as match
| where isnull(match)
| sort ip
| table ip

 

Tags (1)
Reply

marnall
Motivator
‎08-14-2024 12:48 PM

I recommend first running a search using only inputlookup to ensure that your IP addresses are returning properly:

| inputlookup known_addresses.csv

You should get a single column of addresses with the "ip" field name.

ip
192.168.1.1
123.123.123.123
222.111.133.111


Then you can put it into a negated search filter in your main search: (I haven't checked your regex, so assume it works to create a field of "ip" with an ip address value.)

index=myindex
| rex field=_raw "(?<ip>\b(?:(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(?:25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\b)"
| search NOT [| inputlookup known_addresses.csv]
| sort ip
| table ip

If the regex does not work, you can try this one:

index=myindex
| rex field=_raw "(?<ip>\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})"
| search NOT [| inputlookup known_addresses.csv]
| sort ip
| table ip


You may also want to put dedup at the end, to remove duplicate ip addresses:

...
| dedup ip

 

0 Karma
Reply
Get Updates on the Splunk Community!

Dashboards: Hiding charts while search is being executed and other uses for tokens

There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...

Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...

This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...

Brains, Bytes, and Boston: Learn from the Best at .conf25

When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...