Solved: Re: Compare output of a search to a lookup values

gl_splunkuser · ‎03-17-2021

Hello everyone,

I am trying to compare a list of IPs from a lookup with a output from a search field, and instated of do this,

| search ( dest_ip!=10.0.0.0/8 AND dest_ip!=172.16.0.0/12 AND dest_ip!=192.168.0.0/16 ...)

I want to have a lookup with the ips ranges and exclude from the results the ip that matchs with the lookup.

My lookup is like:

ips

13.64.0.0/11
13.96.0.0/13
13.104.0.0/14
....

Really thanks in advance.

scelikok · ‎03-17-2021

You can use the lookup for search; I assume your lookup name is "ips_lookup" and has a field called "ips". Please update these with the correct ones.

| search NOT 
    [| inputlookup ips_lookup 
    | fields ips 
    | rename ips as dest_ip]

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎03-17-2021

You can use the lookup for search; I assume your lookup name is "ips_lookup" and has a field called "ips". Please update these with the correct ones.

| search NOT 
    [| inputlookup ips_lookup 
    | fields ips 
    | rename ips as dest_ip]

If this reply helps you an upvote and "Accept as Solution" is appreciated.

Compare output of a search to a lookup values