If I have a search that returns a list of IP addre...

alexl1 · ‎04-13-2015

hi,

Say I have a search that returns a list of IP addresses. What is the syntax to check if IPs in a second list do not appear in this result set?

yannK · ‎04-13-2015

First, if you have a field that contains several IPs you can split the events
- you may want to define a multivalue field (see makemv)
- and split each event in one event per IP (see mvexpand) .
see http://docs.splunk.com/Documentation/Splunk/6.2.2/Search/Parsemultivaluefields

Second, to do the matching between the results and the second list.
You can use several methods like :
- use JOIN command (only if you have less than 10000 lines in the list)
- use a lookup, and maybe add a command to mark the matching/non matching events.

If I have a search that returns a list of IP addresses, what would be the syntax to check if IPs in a second list do not appear in this result set?

Detecting Remote Code Executions With the Splunk Threat Research Team

Observability | Use Synthetic Monitoring for Website Metadata Verification

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk