Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Eliminate Specific results from search query

alexspunkshell
Contributor
‎01-06-2021 08:18 PM

Hi All,

I want to eliminate TruestedLocation = Zscaler in my splunk search result.

Below is my query and screenshot. Please help me with splunk query.

Thanks in advance.

 

index=test "vendorInformation.provider"=IPC
| eval Event_Date=mvindex('eventDateTime',0)
| eval UPN=mvindex('userStates{}.userPrincipalName',0)
| eval Logon_Location=mvindex('userStates{}.logonLocation',0)
| eval Event_Title=mvindex('title',0)
| eval Event_Severity=mvindex('severity',0)
| eval AAD_Acct=mvindex('userStates{}.aadUserId',0)
| eval LogonIP=mvindex('userStates{}.logonIp',0)
| eval Investigate=+"https://portal.azure.com/#blade/Microsoft_AAD_Acct
| stats count by Event_Date, Event_Title, Event_Severity UPN Logon_Location LogonIP Investigate
| lookup WeirMFAStatusLookup.csv userPrincipalName as UPN
| lookup Lookup_EMPADInfo.csv userPrincipalName as UPN
| lookup WeirSiteCode2IP.csv public_ip as LogonIP
| lookup ZscalerIP CIDR_IP as LogonIP
| lookup WeirTrustedIPs.csv TrustedIP as LogonIP
| fillnull value="Unknown Site" site_code
| eval AD_Location=st + ", " + c
| fillnull value="OK" MFAStatus
| eval TrustedLocation=if(isnull(TrustedLocation), ZLocation, TrustedLocation)
| rename site_code as LogonSiteCode
| table Event_Date, Event_Title, Event_Severity UPN LogonIP LogonSiteCode Logon_Location AD_Location TrustedLocation MFAStatus count Investigate
| sort - Event_Date

 

alexspunkshell_0-1609992770163.png

@isoutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @to4kawa

Labels (4)
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-06-2021 08:46 PM

If you are saying you want to remove the field value 'Zscaler' from the TrustedLocation field, where Zscaler is one value of a multi-value field, then this will remove it

| eval TrustedLocation=mvfilter(!match(TrustedLocation,"Zscaler"))

If I've misunderstood your requirement and you want to remove all rows where TrustedLocation contains Zscaler then

| where isnull(mvfind(TrustedLocation,"Zscaler"))

Hope this helps

 

 

View solution in original post

Reply
Solved! Jump to solution

to4kawa
Ultra Champion
‎01-06-2021 09:55 PM

eliminate?

...
| where !match(TruestedLocation,"Zscaler")

or

...
| rex field=TruestedLocation mode=sed "s/Zscaler//"

 

Reply
Solved! Jump to solution
Solution

bowesmana
SplunkTrust
SplunkTrust
‎01-06-2021 08:46 PM

If you are saying you want to remove the field value 'Zscaler' from the TrustedLocation field, where Zscaler is one value of a multi-value field, then this will remove it

| eval TrustedLocation=mvfilter(!match(TrustedLocation,"Zscaler"))

If I've misunderstood your requirement and you want to remove all rows where TrustedLocation contains Zscaler then

| where isnull(mvfind(TrustedLocation,"Zscaler"))

Hope this helps

 

 

Reply
Get Updates on the Splunk Community!

.conf23 | Get Your Cybersecurity Defense Analyst Certification in Vegas

We’re excited to announce a new Splunk certification exam being released at .conf23! If you’re going to Las ...

Starting With Observability: OpenTelemetry Best Practices

Tech Talk Starting With Observability: OpenTelemetry Best Practices Tuesday, October 17, 2023   |  11AM PST / ...

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW! Every day the list of sources Admins are responsible for gets bigger and bigger, often making ...