<?xml version="1.0" encoding="UTF-8"?>
<rss xmlns:content="http://purl.org/rss/1.0/modules/content/" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:rdf="http://www.w3.org/1999/02/22-rdf-syntax-ns#" xmlns:taxo="http://purl.org/rss/1.0/modules/taxonomy/" version="2.0">
  <channel>
    <title>topic How can I create a supression/whitelist for traffic between two IP addresses? in Getting Data In</title>
    <link>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-a-supression-whitelist-for-traffic-between-two/m-p/324387#M60388</link>
    <description>&lt;P&gt;I want to create a suppression / whitelist for traffic between these IPs:&lt;BR /&gt;
192.168.10.12/13/64/65 ---&amp;gt; 192.168.17.20/21&lt;/P&gt;

&lt;P&gt;• Source Port:&lt;BR /&gt;
o   25000&lt;BR /&gt;
o   143&lt;BR /&gt;
o   25002&lt;BR /&gt;
• Destination Port:&lt;BR /&gt;
o   443&lt;BR /&gt;
o   25000&lt;BR /&gt;
o   143&lt;BR /&gt;
o   25001&lt;BR /&gt;
o   993&lt;/P&gt;

&lt;P&gt;I tried a search query as below however it is not working:&lt;/P&gt;

&lt;P&gt;search NOT (((src="192.168.10.12" OR src="192.168.10.13" OR src="192.168.10.64" OR src="192.168.10.65") AND (src_port="25000" OR src_port="25002" OR src_port="143")) AND ((dest="192.168.17.20" OR dest="192.168.17.21") AND (dest_port="143" OR dest_port="443" OR dest_port="993" OR dest_port="25000" OR dest_port="25001")))&lt;/P&gt;

&lt;P&gt;Kindly help to get this done.&lt;/P&gt;</description>
    <pubDate>Tue, 29 Sep 2020 17:06:47 GMT</pubDate>
    <dc:creator>prakhar_2</dc:creator>
    <dc:date>2020-09-29T17:06:47Z</dc:date>
    <item>
      <title>How can I create a supression/whitelist for traffic between two IP addresses?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-a-supression-whitelist-for-traffic-between-two/m-p/324387#M60388</link>
      <description>&lt;P&gt;I want to create a suppression / whitelist for traffic between these IPs:&lt;BR /&gt;
192.168.10.12/13/64/65 ---&amp;gt; 192.168.17.20/21&lt;/P&gt;

&lt;P&gt;• Source Port:&lt;BR /&gt;
o   25000&lt;BR /&gt;
o   143&lt;BR /&gt;
o   25002&lt;BR /&gt;
• Destination Port:&lt;BR /&gt;
o   443&lt;BR /&gt;
o   25000&lt;BR /&gt;
o   143&lt;BR /&gt;
o   25001&lt;BR /&gt;
o   993&lt;/P&gt;

&lt;P&gt;I tried a search query as below however it is not working:&lt;/P&gt;

&lt;P&gt;search NOT (((src="192.168.10.12" OR src="192.168.10.13" OR src="192.168.10.64" OR src="192.168.10.65") AND (src_port="25000" OR src_port="25002" OR src_port="143")) AND ((dest="192.168.17.20" OR dest="192.168.17.21") AND (dest_port="143" OR dest_port="443" OR dest_port="993" OR dest_port="25000" OR dest_port="25001")))&lt;/P&gt;

&lt;P&gt;Kindly help to get this done.&lt;/P&gt;</description>
      <pubDate>Tue, 29 Sep 2020 17:06:47 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-a-supression-whitelist-for-traffic-between-two/m-p/324387#M60388</guid>
      <dc:creator>prakhar_2</dc:creator>
      <dc:date>2020-09-29T17:06:47Z</dc:date>
    </item>
    <item>
      <title>Re: How can I create a supression/whitelist for traffic between two IP addresses?</title>
      <link>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-a-supression-whitelist-for-traffic-between-two/m-p/324388#M60389</link>
      <description>&lt;P&gt;Try this. There will be &lt;CODE&gt;4 (#src) * 3 (#src_port) * 2 (#dest) * 5(#dest_port) =120&lt;/CODE&gt; combinations to be excluded. The subsearch generates the same. See Inspect job for Normalized search.&lt;/P&gt;

&lt;PRE&gt;&lt;CODE&gt;your base search NOT [| gentimes start=-1 | eval src=split("192.168.10.12 192.168.10.13 192.168.10.64 192.168.10.65"," ") | table src | mvexpand src | eval src_port=split("25000 143 25002", " ") | mvexpand src_port | eval dest=split("192.168.17.20 192.168.17.21"," ") | mvexpand dest | eval dest_port=split("443 25000 143 25001 993"," ") | mvexpand dest_port | format]
&lt;/CODE&gt;&lt;/PRE&gt;</description>
      <pubDate>Thu, 07 Dec 2017 21:29:21 GMT</pubDate>
      <guid>https://community.splunk.com/t5/Getting-Data-In/How-can-I-create-a-supression-whitelist-for-traffic-between-two/m-p/324388#M60389</guid>
      <dc:creator>somesoni2</dc:creator>
      <dc:date>2017-12-07T21:29:21Z</dc:date>
    </item>
  </channel>
</rss>

