topic Re: Help with a simple search in Splunk Search

Help with a simple search

agallegos — Wed, 01 Jun 2022 20:10:38 GMT

I am trying to do a search where by:

index=firewall (src_ip=172.16.0.0/12) dest_ip!(172.16.0.0/12) | table src_ip src_port dest_ip dest_port | dedup src_ip

When I run this search I still see 172.16.0.0/12 destination IP addresses. I've also tried it this way:

index=firewall (src_ip=172.16.0.0/12) NOT dest_ip! IN (172.16.0.0/12) | table src_ip src_port dest_ip dest_port | dedup src_ip

Re: Help with a simple search

richgalloway — Wed, 01 Jun 2022 20:33:26 GMT

Assuming it's not just a typo in the question, the syntax is incorrect. Try this:

index=firewall src_ip=172.16.0.0/12 dest_ip!=172.16.0.0/12 | dedup src_ip | table src_ip src_port dest_ip dest_port

Re: Help with a simple search

agallegos — Wed, 01 Jun 2022 21:08:31 GMT

Does it matter if the dedup was last or the second statement?

Re: Help with a simple search

richgalloway — Thu, 02 Jun 2022 00:19:13 GMT

Putting dedup first allows the indexers to do part of the deduplication. The table command, however, forces execution of the query back to the search head which then has to do all of the deduplication so having the dedup last is less performant.