Splunk Search

Drop a host from search if the destination (multi value field) matches external IP

CryoHydra
Path Finder

I need help on splunk search for the below condition,

The scenario here is like i need to generate a report on hosts which are not connecting external IP's . (purely internal connecting host)

I have few hosts which is connecing to both external and internal IP.

if i use |search destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16 - this only shows the events of internal connection but not droping host from search for external connection events.

how do i filter hosts which has destination internal only if external ip present i need to drop that host from search.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

<Your main search here> AND NOT [ <Your main search here, too> AND (destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16) | stats count BY src | table src ]

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

<Your main search here> AND NOT [ <Your main search here, too> AND (destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16) | stats count BY src | table src ]
0 Karma

sandeepmakkena
Contributor

You can use a lookup file with all your ip addresses.

| lookup Internal_IP_addresses.csv Internal_IP_aadress as IP_address OUTPUT Internal_IP_address
| table Internal_IP_address

IP_address----> Extract from your logs/data

Internal_IP_address.csv upload in the lookup. This will have all your internal IP's

Internal_IP_aadress
10.X.X.11
12.xxxxxx

0 Karma

sandeepmakkena
Contributor

Did this work ??

0 Karma

CryoHydra
Path Finder

i want to negate host from search which connected to external IP , you query helps in host connected to internal IP ?

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...