https://community.splunk.com/t5/Alerting/Splunk-Alert/m-p/462018#M12597 <P>Use this <BR /> <CODE>index=nettraffic NOT ((source="a.b.c.d" dest="w.x.y.z") OR (dest="a.b.c.d" source="w.x.y.z"))</CODE></P> Thu, 17 Oct 2019 00:43:43 GMT diogofgm 2019-10-17T00:43:43Z https://community.splunk.com/t5/Alerting/Splunk-Alert/m-p/462016#M12595 <P>I want to create an alert that will email us if we see any traffic that is not from a.b.c.d network communicating with w.x.y.z network (source or destination). I know I'm for sure missing stuff. </P> <P>Thank you to any help! <BR /> Justin </P> Wed, 16 Oct 2019 21:52:42 GMT https://community.splunk.com/t5/Alerting/Splunk-Alert/m-p/462016#M12595 jdrogers83 2019-10-16T21:52:42Z https://community.splunk.com/t5/Alerting/Splunk-Alert/m-p/462017#M12596 <P>query data with NOT keyword i.e. index="your index" NOT source="x.x.x.x" AND destination="x.x.x.x". Trigger alert when Number of records &gt; 0 or whatever threshold. </P> Wed, 16 Oct 2019 22:59:04 GMT https://community.splunk.com/t5/Alerting/Splunk-Alert/m-p/462017#M12596 saagar203 2019-10-16T22:59:04Z https://community.splunk.com/t5/Alerting/Splunk-Alert/m-p/462018#M12597 <P>Use this <BR /> <CODE>index=nettraffic NOT ((source="a.b.c.d" dest="w.x.y.z") OR (dest="a.b.c.d" source="w.x.y.z"))</CODE></P> Thu, 17 Oct 2019 00:43:43 GMT https://community.splunk.com/t5/Alerting/Splunk-Alert/m-p/462018#M12597 diogofgm 2019-10-17T00:43:43Z