Dashboards & Visualizations
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

X and NOT X choice in checkbox

mmasalas
Explorer
‎05-05-2021 12:42 AM

I have some data about email statistics, where one of relevant fields is source IP address. I'm building a dashboard and wanted to add input field on that source IP.  That input field should have three choices:

  1. All possible source IPs. That is going to be "*".
  2. our own MX addresses.
  3. every external IP (i.e., all possible source IPs, except the ones listed in 2)

In the case of 1 and 2 I have token and search is going to have expression like "src_ip = X". But I cannot find how to combine it with 3, where I'd have to negate condition, something like "src_ip != MX_IP". Any ideas?

Also, at the moment I'm trying to do it via checkbox, but if another type would be more suitable, let me know.

Labels (1)
Labels
0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2021 12:56 AM

How would you search for condition 3?

0 Karma
Reply

mmasalas
Explorer
‎05-05-2021 01:05 AM

In manual search it would be "src_ip != MX_address" where MX_address is the one specified in condition 2. In case of several internal IPs: "src_ip != MX_address1 src_ip != MX_address2 src_ip != MX_address3 ...", but for simplicity we may assume now that there is only one internal IP.

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎05-05-2021 01:12 AM

Seems to be no reason why this part of the search can't be the value of the token when the option is selected. Another option for the token could be "NOT src_ip IN (MX_address1 MX_address2 MX_address3)"?

0 Karma
Reply
Get Updates on the Splunk Community!

Accelerating Observability as Code with the Splunk AI Assistant

We’ve seen in previous posts what Observability as Code (OaC) is and how it’s now essential for managing ...

Integrating Splunk Search API and Quarto to Create Reproducible Investigation ...

 Splunk is More Than Just the Web Console For Digital Forensics and Incident Response (DFIR) practitioners, ...

Congratulations to the 2025-2026 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...