https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355465#M3410 <P>Right!... It's a good practice to balance those guys haha! Glad it worked! (I edited the answer)</P> Wed, 31 May 2017 23:07:11 GMT larryjcp 2017-05-31T23:07:11Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355462#M3407 <P>Splunk 6.5.1<BR /> Splunk Enterprise Security (ES) 4.2.0</P> <P>I wrote the correlation search below (show sources that trigger more than 100 IPS alerts) which triggers nicely but I'm trying to add exclusions to get my desired results. I'm looking to get the output of IPS alerts that only match Severity=4. I'm also looking to exclude CIDR ranges from the output, ex 10.0.0.0/8. Any thoughts? </P> <PRE><CODE>| tstats allow_old_summaries=true values(IDS_Attacks.tag) as "tag",c(IDS_Attacks.signature) as "count" from datamodel=Intrusion_Detection where nodename=IDS_Attacks by "IDS_Attacks.src" | rename "IDS_Attacks.src" as "src" | where 'count'&gt;100 | rename "tag" as "orig_tag" </CODE></PRE> Fri, 28 Apr 2017 20:31:57 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355462#M3407 bwoltz 2017-04-28T20:31:57Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355463#M3408 <P>Hi bwoltz. See my suggestion below:</P> <PRE><CODE>| tstats allow_old_summaries=true values(IDS_Attacks.tag) as "tag",c(IDS_Attacks.signature) as "count" from datamodel=Intrusion_Detection where nodename=IDS_Attacks by "IDS_Attacks.src" | `drop_dm_object_name("IDS_Attacks")` | where 'count'&gt;100 AND severity=4 AND NOT cidrmatch("10.0.0.0/8",src) | rename "tag" as "orig_tag" </CODE></PRE> <P>| <CODE>drop_dm_object_name("IDS_Attacks")</CODE> - is a macro that allows to drop the data model object name </P> <P>Hope it works!</P> Wed, 31 May 2017 05:48:43 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355463#M3408 larryjcp 2017-05-31T05:48:43Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355464#M3409 <P>larryjcp, if I remove the parenthesis to the left of count it works like a charm. Thanks!!!</P> Wed, 31 May 2017 21:08:00 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355464#M3409 bwoltz 2017-05-31T21:08:00Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355465#M3410 <P>Right!... It's a good practice to balance those guys haha! Glad it worked! (I edited the answer)</P> Wed, 31 May 2017 23:07:11 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355465#M3410 larryjcp 2017-05-31T23:07:11Z https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355466#M3411 <P>Since 7.1.1, when a field is multivalue, after the rename (included in the drop_dm_object_name macro) it's no longer a MV field.<BR /> Splunk changed something in the rename commande, and it has broken the multivalue capability.<BR /> Sad !</P> Tue, 29 Sep 2020 20:22:39 GMT https://community.splunk.com/t5/Splunk-Enterprise-Security/Splunk-Enterprise-Security-Adding-exclusions-to-my-Correlation/m-p/355466#M3411 Azerty728 2020-09-29T20:22:39Z