IPs in lookup table
3.124.56/32
64.37.99.0/24
55.63.24.7/16
How to edit my search to Exclude an IPs from outside to a Subnet IP in a lookup file?
Hi @AL3Z,
You can easily use inputlookup command. Assuming your subnets is in subnets.csv lookup with ip field. And your events are in src_ip field.
| search [|inputlookup subnets.csv | rename ip as src_ip]
Follow the Splunk docs to setup your lookup with a lookup definition and match type of CIDR for that column.
Then use the lookup as a lookup. The pattern is usually like the below to filter where in the lookup,
MYSEARCH
| lookup mylookup src OUTPUTNEW src as toFilter
| where isnotnull(toFilter)
To add to @starcher's instructions, I recently made this screenshot to help another question; the only difference is file name.
As shown here, you need to check "Advanced options" in order to set up CIDR match type.
As you are looking for non-matching entries, your filter should be isnull as opposed to isnotnull.
MYSEARCH
| lookup mylookup src OUTPUTNEW src as toFilter
| where isnull(toFilter)