Solved: Excluding a list of IP's from the results

samble · ‎02-02-2019

I have a list of IP's in a CSV that I need to exclude from the results of a query. Below is a my query. How can I apply the lookup feature or something else to accomplish this? I would like to include all the destination IP's that I want to exclude in the CSV and display the top ten destination IP's thanks.

sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRuleAction=Allow AND NOT DstIP=172.* | top limit=10 DstIP

richgalloway · ‎02-02-2019

Assuming your list of excluded IPs is in a lookup file called 'exclude.csv', the query would look something like this:

sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRuleAction=Allow NOT [|inputlookup exclude,csv | fields ip | format] | top limit=10 DstIP

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway · ‎02-02-2019

Assuming your list of excluded IPs is in a lookup file called 'exclude.csv', the query would look something like this:

sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRuleAction=Allow NOT [|inputlookup exclude,csv | fields ip | format] | top limit=10 DstIP

---
If this reply helps you, Karma would be appreciated.

samble · ‎02-03-2019

Thanks for your guidance. I had to make a slight change and it worked. It wanted the fields also as DstIP

sourcetype="cisco:sourcefire:appliance:syslog" AccessControlRuleAction=Allow NOT [|inputlookup Exclude.csv | fields DstIP | format] | top limit=10 DstIP

Excluding a list of IP's from the results

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector