Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

X and NOT X choice in checkbox

mmasalas
Explorer
‎05-05-2021 12:42 AM

I have some data about email statistics, where one of relevant fields is source IP address. I'm building a dashboard and wanted to add input field on that source IP.  That input field should have three choices:

  1. All possible source IPs. That is going to be "*".
  2. our own MX addresses.
  3. every external IP (i.e., all possible source IPs, except the ones listed in 2)

In the case of 1 and 2 I have token and search is going to have expression like "src_ip = X". But I cannot find how to combine it with 3, where I'd have to negate condition, something like "src_ip != MX_IP". Any ideas?

Also, at the moment I'm trying to do it via checkbox, but if another type would be more suitable, let me know.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2021 12:56 AM

How would you search for condition 3?

0 Karma
Reply

mmasalas
Explorer
‎05-05-2021 01:05 AM

In manual search it would be "src_ip != MX_address" where MX_address is the one specified in condition 2. In case of several internal IPs: "src_ip != MX_address1 src_ip != MX_address2 src_ip != MX_address3 ...", but for simplicity we may assume now that there is only one internal IP.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2021 01:12 AM

Seems to be no reason why this part of the search can't be the value of the token when the option is selected. Another option for the token could be "NOT src_ip IN (MX_address1 MX_address2 MX_address3)"?

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...

[Puzzles] Solve, Learn, Repeat: Dereferencing XML to Fixed-length events

This challenge was first posted on Slack #puzzles channelFor a previous puzzle, I needed a set of fixed-length ...

Stay Connected: Your Guide to December Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...