I need help on splunk search for the below condition,
The scenario here is like i need to generate a report on hosts which are not connecting external IP's . (purely internal connecting host)
I have few hosts which is connecing to both external and internal IP.
if i use |search destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16
- this only shows the events of internal connection but not droping host from search for external connection events.
how do i filter hosts which has destination internal only if external ip present i need to drop that host from search.
Like this:
<Your main search here> AND NOT [ <Your main search here, too> AND (destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16) | stats count BY src | table src ]
Like this:
<Your main search here> AND NOT [ <Your main search here, too> AND (destination=10.0.0.0/8 OR destination=172.16.0.0/12 OR destination=192.168.0.0/16) | stats count BY src | table src ]
You can use a lookup file with all your ip addresses.
| lookup Internal_IP_addresses.csv Internal_IP_aadress as IP_address OUTPUT Internal_IP_address
| table Internal_IP_address
IP_address----> Extract from your logs/data
Internal_IP_address.csv upload in the lookup. This will have all your internal IP's
Internal_IP_aadress
10.X.X.11
12.xxxxxx
Did this work ??
i want to negate host from search which connected to external IP , you query helps in host connected to internal IP ?