Dashboards & Visualizations

Modifying searches to exclude IP address

Ted1621
Observer

How would I modify this search :

| tstats prestats=true summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app=win* Authentication.action=$action$ by _time, Authentication.user span=10m
| timechart minspan=10m useother=true count by Authentication.user limit=50

to exclude this IP Address: src_ip!="10.0.1.90"

Labels (2)
0 Karma

Ted1621
Observer

This did not seem to work I still see the failed logins from this source...

| tstats prestats=true summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app=win* Authentication.action=$action$ Authentication.src_ip!="10.0.1.90" by _time, Authentication.user span=10m
| timechart minspan=10m useother=true count by Authentication.user limit=50

0 Karma

bowesmana
SplunkTrust
SplunkTrust

How can you see that there are failed logins from this source? You tstats will only give you count, _time and user.

If you also split by the IP and don't do the timechart, can you see 10.0.1.90 as a src/src_ip?

Does your Authentication DM contains src_ip as opposed to just src?

0 Karma

bowesmana
SplunkTrust
SplunkTrust

I believe src is the field in the datamodel that contains the ip - so just add the constraint to the existing where clause

| tstats prestats=true summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app=win* Authentication.action=$action$ Authentication.src!="10.0.1.90" by _time, Authentication.user span=10m
| timechart minspan=10m useother=true count by Authentication.user limit=50
0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...