Dashboards & Visualizations
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Modifying searches to exclude IP address

Ted1621
Observer
‎10-09-2022 03:21 PM

How would I modify this search :

| tstats prestats=true summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app=win* Authentication.action=$action$ by _time, Authentication.user span=10m
| timechart minspan=10m useother=true count by Authentication.user limit=50

to exclude this IP Address: src_ip!="10.0.1.90"

Labels (2)
Labels
0 Karma
Reply

Ted1621
Observer
‎10-09-2022 08:00 PM

This did not seem to work I still see the failed logins from this source...

| tstats prestats=true summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app=win* Authentication.action=$action$ Authentication.src_ip!="10.0.1.90" by _time, Authentication.user span=10m
| timechart minspan=10m useother=true count by Authentication.user limit=50

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-09-2022 08:44 PM

How can you see that there are failed logins from this source? You tstats will only give you count, _time and user.

If you also split by the IP and don't do the timechart, can you see 10.0.1.90 as a src/src_ip?

Does your Authentication DM contains src_ip as opposed to just src?

0 Karma
Reply

bowesmana
SplunkTrust
SplunkTrust
‎10-09-2022 03:48 PM

I believe src is the field in the datamodel that contains the ip - so just add the constraint to the existing where clause

| tstats prestats=true summariesonly=true allow_old_summaries=true count from datamodel=Authentication.Authentication where Authentication.app=win* Authentication.action=$action$ Authentication.src!="10.0.1.90" by _time, Authentication.user span=10m
| timechart minspan=10m useother=true count by Authentication.user limit=50
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...