Splunk Search

Drop a host from search if the destination (multi value field) matches external IP

CryoHydra
Path Finder

I need help on splunk search for the below condition,

The scenario here is like i need to generate a report on hosts which are not connecting external IP's . (purely internal connecting host)

I have few hosts which is connecing to both external and internal IP.

if i use |search destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16 - this only shows the events of internal connection but not droping host from search for external connection events.

how do i filter hosts which has destination internal only if external ip present i need to drop that host from search.

Tags (1)
0 Karma
1 Solution

woodcock
Esteemed Legend

Like this:

<Your main search here> AND NOT [ <Your main search here, too> AND (destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16) | stats count BY src | table src ]

View solution in original post

0 Karma

woodcock
Esteemed Legend

Like this:

<Your main search here> AND NOT [ <Your main search here, too> AND (destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16) | stats count BY src | table src ]
0 Karma

sandeepmakkena
Contributor

You can use a lookup file with all your ip addresses.

| lookup Internal_IP_addresses.csv Internal_IP_aadress as IP_address OUTPUT Internal_IP_address
| table Internal_IP_address

IP_address----> Extract from your logs/data

Internal_IP_address.csv upload in the lookup. This will have all your internal IP's

Internal_IP_aadress
10.X.X.11
12.xxxxxx

0 Karma

sandeepmakkena
Contributor

Did this work ??

0 Karma

CryoHydra
Path Finder

i want to negate host from search which connected to external IP , you query helps in host connected to internal IP ?

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In January, the Splunk Threat Research Team had one release of new security content via the Splunk ES Content ...

Expert Tips from Splunk Professional Services, Ensuring Compliance, and More New ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Observability Release Update: AI Assistant, AppD + Observability Cloud Integrations & ...

This month’s releases across the Splunk Observability portfolio deliver earlier detection and faster ...