- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to ignore cidr from a lookup file in a search?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I have a large list of IP ranges in a lookup file. I want to ignore these in a search.
I can do the following for one specific IP range which works:
index=uk |where not cidrmatch("1.2.3.0/24",remote_ip) | top remote_ip
but I am struggling to get it to work with a lookup. I think I need to replace the IP with a subsearch doing the lookup from the file such as
index=uk |where not cidrmatch([search inputlookup ips |fields cidr],remote_ip) | top remote_ip
where the lookup definition is called ips and the only field is called cidr, but this doesn’t work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you are trying to do this, right?
http://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html
The trick is that you will have to have some other field in the lookup to trigger your NOT logic. Let us say the field is called Matched (it doesn't matter what the value is, so long as it is non-null, but you would probably always set it to Y), then you search like this:
index=uk |where isnull(Matched)
The idea is that your IP passed through the lookup but did not match any CIDR so the Matched field did not get created. Only get those.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I believe you are trying to do this, right?
http://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html
The trick is that you will have to have some other field in the lookup to trigger your NOT logic. Let us say the field is called Matched (it doesn't matter what the value is, so long as it is non-null, but you would probably always set it to Y), then you search like this:
index=uk |where isnull(Matched)
The idea is that your IP passed through the lookup but did not match any CIDR so the Matched field did not get created. Only get those.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I see what you are talking about re logic and have added another field to the file with Y
unfortunately I just have standard user access and do not have admin privileges and can not log onto the server to edit conf files etc, which appears to be a requirement of the solutions provided in the link.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All of this can be done through the GUI, too (you will have to click Advanced Options in many places). Do you have privileges to do Settings -> Fields -> Field Extractions -> New? If so, you can do it through the GUI instead of accessing the files directly.
Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!
They're back! Join the SplunkTrust and MVP at .conf24
Enterprise Security Content Update (ESCU) | New Releases
