Re: Exclude a known IP from results

MattQ · ‎04-25-2013

I am returning query results that give a list of IPs on which an event has occurred. I want to create an alert to fire historically on the data if criteria is met HOWEVER I have a known IP address that will always meet the criteria (my IP). I would like to exclude this either from the results and then fire an event on the remaining results or set a custom alert condition to alert on an event EXCEPT if it is from my IP.

This should be simple. Just missing it

mosman_splunk · ‎05-12-2016

you can list all your IP that you want to white lsit in CSV file then run your search againest that file

eg

tag=traffic NOT [|inputcsv kiristian_whitelist_IP.csv ]

good luck

chrisprangnell · ‎05-12-2016

can you share your search phrase please im trying to do similar thing.

sundareshr · ‎05-12-2016

@chrisprangnell Try this pseudo code

your base search | stats count by ip | search NOT [| inputlookup knowniplist.csv | table ip ]

MattQ · ‎04-25-2013

I actually did get this to work using NOT. I just needed to be more creative. Thanks

MattQ · ‎04-25-2013

Normally this would work yes but the way I am manipulating the data I cant seem to make the NOT command fit. Is there a way to get results of A, C, F, G but exclude: F from my table results list?

kristian_kolb · ‎04-25-2013

Have you taken a look at the NOT operator? Or the != operator? Both could be used in your search to exclude results otherwise matching your search criteria.

/K

Exclude a known IP from results

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...