Finding ip's not in a inputlookup

realtimetechnol · ‎07-08-2020

Hi All,

I appreciate that there are tons of answers on this but I am having issues getting it to work!

I have a csv named known-ip-addresses.csv it contains the same fields as those in the indexed data eventName, src, "user.Identity.arn" in exactly the same case and separated. The inputlookup works ok and I can search against values. I have not created a lookup definition

In the indexed data we have a sourcetype with the same fields, I am trying to find any ip's (src field) that are not in the inputlookup.

sourcetype=aws:cloudtrail eventName=ConsoleLogin NOT [inputlookup known-ip-addresses.csv | fields eventName, src, "user.Identity.arn" ]

The result is that I am getting a mix of addresses that are in the csv as well as those that are not.

Can anyone point me in the right direction?

Thanks in advance.

richgalloway · ‎07-08-2020

Run this search

inputlookup known-ip-addresses.csv 
| fields eventName, src, "user.Identity.arn" 
| format

to see what is being returned from the subsearch. Tweak the subsearch, and perhaps also the options to format, to get results that match your index.

---
If this reply helps you, Karma would be appreciated.

Finding ip's not in a inputlookup

subsearch

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector