Splunk Search

Exclude WhiteList IP from results

staymini
Explorer

I want to exclude the IP in the lookup file from the search results.

  1. I have defined a lookup file that contains WhiteList IP.

    • The contents of Lookup File are 1.1.1.1
  2. I looked it up using the following query.
    Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
    Result : 2.2.2.2 3.3.3.3
    It was successful !!

I tried next.
Query : index=fw 2.2.2.2 | table wIP | outputlookup whitelist append=t
Result : 2.2.2.2

I have confirmed that 2.2.2.2 has been added to the lookup file.
Query : | inputlookup whitelist
Result : 1.1.1.1 2.2.2.2

Next Search
Query : index=fw | lookup whitelist ip as wIP OUTPUT ip | where isnotnull(ip)
Result : 2.2.2.2 3.3.3.3

2.2.2.2 is not excluded !!!

Please let me know why.

What should I do?

0 Karma
1 Solution

tiagofbmm
Influencer

Hey

You can try using the return command to include or exclude the IPs in the whitelist lookup

Include

index=fw 
[ | inputlookup whitelist | fields ip | return 10000 $ip]

Exclude

index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])

View solution in original post

tiagofbmm
Influencer

Hey

You can try using the return command to include or exclude the IPs in the whitelist lookup

Include

index=fw 
[ | inputlookup whitelist | fields ip | return 10000 $ip]

Exclude

index=fw NOT ( [ | inputlookup whitelist | fields ip | return 10000 $ip])

staymini
Explorer

Wow!!! I did not know this way!!!
Thank you very much.
I want you to be filled with good things.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...