Splunk Search

Drop a host from search if the destination (multi value field) matches external IP

CryoHydra
Path Finder

I need help on splunk search for the below condition,

The scenario here is like i need to generate a report on hosts which are not connecting external IP's . (purely internal connecting host)

I have few hosts which is connecing to both external and internal IP.

if i use |search destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16 - this only shows the events of internal connection but not droping host from search for external connection events.

how do i filter hosts which has destination internal only if external ip present i need to drop that host from search.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

<Your main search here> AND NOT [ <Your main search here, too> AND (destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16) | stats count BY src | table src ]

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

<Your main search here> AND NOT [ <Your main search here, too> AND (destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16) | stats count BY src | table src ]
0 Karma

sandeepmakkena
Contributor

You can use a lookup file with all your ip addresses.

| lookup Internal_IP_addresses.csv Internal_IP_aadress as IP_address OUTPUT Internal_IP_address
| table Internal_IP_address

IP_address----> Extract from your logs/data

Internal_IP_address.csv upload in the lookup. This will have all your internal IP's

Internal_IP_aadress
10.X.X.11
12.xxxxxx

0 Karma

sandeepmakkena
Contributor

Did this work ??

0 Karma

CryoHydra
Path Finder

i want to negate host from search which connected to external IP , you query helps in host connected to internal IP ?

0 Karma
Get Updates on the Splunk Community!

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Deprecation of Splunk Observability Kubernetes “Classic Navigator” UI starting ...

Access to Splunk Observability Kubernetes “Classic Navigator” UI will no longer be available starting January ...