Hi, my search:
I'm try fast mode but status the same, My Splunk OS 5.04.
Please help me, thanks.
index="xxx" srcip !="1.1.1.1" srcip != "2.2.2.2" srcip != "3.3.3.3" dstip != "111..." dstip !="112.1.1." dstip != "163.1.1." dstip != "10.1.1." | eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | strcat " " time " " as Date | eval n = coalesce(hostname, host_name) |strcat " " n url " " as weburl |stats sum(bandwidth(MB)) as bandwidth(MB) values(srcip) as srcip values(service) as service values(attack) as app last(Date) as FirstDate first(Date) as LastDate values(policyid) as policyid values(weburl) as weburl by dstip |sort 10 search srcip="123.123.123.123" |head 10
Hi chengyu,
try to build the search command in a manner, that it will search for events you will need instead of excluding what you don't need. Change your provided search example like this:
index="xxx" srcip="123.123.123.123" dstip != "111..." dstip !="112.1.1." dstip != "163.1.1." dstip != "10.1.1." | eval bandwidth=rcvdbyte+sentbyte | eval bandwidth(MB) = round(bandwidth/1024/1024,2) | strcat " " time " " as Date | eval n = coalesce(hostname, host_name) | strcat " " n url " " as weburl | stats sum(bandwidth(MB)) as bandwidth(MB) values(srcip) as srcip values(service) as service values(attack) as app last(Date) as FirstDate first(Date) as LastDate values(policyid) as policyid values(weburl) as weburl by dstip | sort 10 |head 10
a note form the docs about search operators:
Note: Inclusion is generally better than exclusion. Searching for "access denied" will yield faster results than NOT "access granted".
You can go further and tune the dstip
filters to reduce the !=
hope this helps ...
cheers, MuS