Splunk Enterprise Security
Highlighted

Excessive DNS Queries exclude by tag

New Member

Hi,

I tried to find out how to exclude tags from tstats search. My search is:
| tstats summariesonly=true allowoldsummaries=true count from datamodel="NetworkResolution"."DNS" where "DNS.messagetype"="QUERY" by "DNS.src" | rename "DNS.src" as "src" | where 'count'>100

I want to make custom tag and exclude it from the search. Tag name could be "DNS" from src address.

I can exclude single ip address with this query but i would like to exclude src ip addressess what have tag "DNS"
| tstats summariesonly=true allowoldsummaries=true count from datamodel="NetworkResolution"."DNS" where DNS.src!=8.8.8.8 AND "DNS.messagetype"="QUERY" by "DNS.src" | rename "DNS.src" as "src" | where 'count'>100

How should I change the query?

I have already tried to exclude:
"tag::src"!=DNS
"tag::DNS.src"!=DNS

With no results.

0 Karma