Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

X and NOT X choice in checkbox

mmasalas
Explorer
‎05-05-2021 12:42 AM

I have some data about email statistics, where one of relevant fields is source IP address. I'm building a dashboard and wanted to add input field on that source IP.  That input field should have three choices:

  1. All possible source IPs. That is going to be "*".
  2. our own MX addresses.
  3. every external IP (i.e., all possible source IPs, except the ones listed in 2)

In the case of 1 and 2 I have token and search is going to have expression like "src_ip = X". But I cannot find how to combine it with 3, where I'd have to negate condition, something like "src_ip != MX_IP". Any ideas?

Also, at the moment I'm trying to do it via checkbox, but if another type would be more suitable, let me know.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2021 12:56 AM

How would you search for condition 3?

0 Karma
Reply

mmasalas
Explorer
‎05-05-2021 01:05 AM

In manual search it would be "src_ip != MX_address" where MX_address is the one specified in condition 2. In case of several internal IPs: "src_ip != MX_address1 src_ip != MX_address2 src_ip != MX_address3 ...", but for simplicity we may assume now that there is only one internal IP.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2021 01:12 AM

Seems to be no reason why this part of the search can't be the value of the token when the option is selected. Another option for the token could be "NOT src_ip IN (MX_address1 MX_address2 MX_address3)"?

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

This puzzle (first published here) is based on matching timestamps to cron expressions.All the timestamps ...

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

Hello Splunkers,  We’re excited to kick off a Splunk Dashboard contest! We know that dashboards are a primary ...

May 2026 Splunk Expert Sessions: Security & Observability

Level Up Your Operations: May 2026 Splunk Expert Sessions Whether you are refining your security posture or ...