Splunk Enterprise Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to exclude IPs from results while using Tstats and a sourcetype that is not the same?

aminfosec
New Member
‎06-22-2019 12:39 AM

Current search is essentially this:

| tstats values(All_Traffic.src) as src
    from datamodel=Network_Traffic.All_Traffic
    by All_Traffic.dest
| lookup mythreatlist IOC as dest OUTPUTNEW list
| list=*
| search NOT whitelistedSources
| search NOT whitelistedDestinations

The tstats model uses a sourcetype the returns logs that do not have the URL in them, only destination IP. This cannot change. A second sourcetype, stURL, does have the URLs. I am looking for a way to use a subsearch/join so that I can exclude all source IPs where the URL is splunkdotcom, even if the IP for splunkdotcom is on my threat list.

I have tried to create the subsearch

[search index=A sourcetype=stURL url="*splunkdotcom*" | fields src]

to obtain all source IPs that visited splunk.com and then exclude them from my tstats search but it does not appear to be working as intended.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-22-2019 07:47 PM

Try this:

|tstats values(All_Traffic.src) as src 
FROM datamodel=Network_Traffic.All_Traffic
WHERE NOT [search index=A sourcetype=stURL url="*splunkdotcom*" | fields src | rename src AS "All_Traffic.src"]
BY All_Traffic.dest
...
0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-22-2019 05:55 AM

Your subsearch is very close to being what you want.

You'll need to add 

| format

or 

| return src

To your subsearch depending on how you want the subsearch to work. In this case | return seems the most appropriate

See the docs for format and return as needed.

0 Karma
Reply

jkat54
SplunkTrust
SplunkTrust
‎06-22-2019 11:26 PM

alt text

Preview file
1 KB
0 Karma
Reply

woodcock
Esteemed Legend
‎06-23-2019 10:43 AM

Right, but it does that anyway, you just don't get to see it.

0 Karma
Reply

woodcock
Esteemed Legend
‎06-22-2019 07:42 PM

I don't think you said what you meant to say. Adding | format will change absolutely nothing about the effect of the subsearch other than readability.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...