Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude the results by filtering source IPs from a lookup table and then filter the results by different fields.

dpdwibedy
Explorer
‎04-27-2020 05:16 AM

Hi , Sorry , if I am asking duplicate question.

Looking for something like this....

1) I have a list of source IPs in a csv file , which I want to exclude from the results.
2) Then filter the results with different fields.

index=abc_splunk sourcetype=access_log uri!="/healthcheck" |lookup Source_IPs.csv rIP OUTPUT rIP as RealIP | where isnull(RealIP) | stats count by uri,http_status

This works , but if I add "stats count by realIP, uri,http_status" then it doesn't work.

Do I need to use "fillnull" as well here ? If yes , then how can I use it for different fields ?

Thanks,
DD

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2020 05:50 AM

You can't perform stats on a null field (RealIP). You will get no results. Your where clause says you want to see events without a RealIP value, therefore, it makes no sense to include RealIP in your stats. You could specify | fillnull value="0.0.0.0" RealIP, but what value would that add to your results?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

dpdwibedy
Explorer
‎04-27-2020 06:02 AM

Hi,

I want to exclude the IPs which are in the csv file from the search results , but want to display rest of the IPs.

How can I list rest of the IPs with other stats ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2020 08:22 AM

Try this:

index=abc_splunk sourcetype=access_log uri!="/healthcheck" NOT [ | inputlookup Source_IPs.csv | rename rIP as RealIP | format ] | stats count by RealIP, uri,http_status
---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply

to4kawa
Ultra Champion
‎04-27-2020 05:49 AM

realIP
field name is case sensitive.

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

Updated Data Type Articles, Anniversary Celebrations, and More on Splunk Lantern

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

A Prelude to .conf25: Your Guide to Splunk University

Heading to Boston this September for .conf25? Get a jumpstart by arriving a few days early for Splunk ...