Hi @Karthikeya , follow these few steps: create a lookup called as you prefer (e.g. whitelisted_ips.csv), create a lookup definition with the same name adding in Advanced options CIDR in match_Ty...
See more...
Hi @Karthikeya , follow these few steps: create a lookup called as you prefer (e.g. whitelisted_ips.csv), create a lookup definition with the same name adding in Advanced options CIDR in match_Type, Create a search that extract the IPs to whitelist, at the end of the search add the command | outputlookup whitelisted_ips.csv, using this search create an alert scheduling it with the frequency you like (e.g. once a day in the night) in this way, you can use the lookup to exclude the IPS from your results running a search like the following (if the field in the lookup is "ip" and you want to search the ips in a field called ip): <your_search> [ | inputlookup whitelisted_ips.csv | fields ip ]
| ... if instead you want to search the ips in all the event, you can run: <your_search> [ | inputlookup whitelisted_ips.csv | rename ip AS query | fields query ]
| ... in this way, you execute a full text search on the _raw of your events. Ciao. Giuseppe