Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to exclude the results by filtering source IPs from a lookup table and then filter the results by different fields.

dpdwibedy
Explorer
‎04-27-2020 05:16 AM

Hi , Sorry , if I am asking duplicate question.

Looking for something like this....

1) I have a list of source IPs in a csv file , which I want to exclude from the results.
2) Then filter the results with different fields.

index=abc_splunk sourcetype=access_log uri!="/healthcheck" |lookup Source_IPs.csv rIP OUTPUT rIP as RealIP | where isnull(RealIP) | stats count by uri,http_status

This works , but if I add "stats count by realIP, uri,http_status" then it doesn't work.

Do I need to use "fillnull" as well here ? If yes , then how can I use it for different fields ?

Thanks,
DD

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2020 05:50 AM

You can't perform stats on a null field (RealIP). You will get no results. Your where clause says you want to see events without a RealIP value, therefore, it makes no sense to include RealIP in your stats. You could specify | fillnull value="0.0.0.0" RealIP, but what value would that add to your results?

---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply

dpdwibedy
Explorer
‎04-27-2020 06:02 AM

Hi,

I want to exclude the IPs which are in the csv file from the search results , but want to display rest of the IPs.

How can I list rest of the IPs with other stats ?

0 Karma
Reply

richgalloway
SplunkTrust
SplunkTrust
‎04-27-2020 08:22 AM

Try this:

index=abc_splunk sourcetype=access_log uri!="/healthcheck" NOT [ | inputlookup Source_IPs.csv | rename rIP as RealIP | format ] | stats count by RealIP, uri,http_status
---
If this reply helps you, an upvote would be appreciated.
0 Karma
Reply

to4kawa
SplunkTrust
SplunkTrust
‎04-27-2020 05:49 AM

realIP
field name is case sensitive.

0 Karma
Reply
Register for .conf21 Now! Go Vegas or Go Virtual!

How will you .conf21? You decide! Go in-person in Las Vegas, 10/18-10/21, or go online with .conf21 Virtual, 10/19-10/20.

Get Updates on the Splunk Community!