I am returning query results that give a list of IPs on which an event has occurred. I want to create an alert to fire historically on the data if criteria is met HOWEVER I have a known IP address that will always meet the criteria (my IP). I would like to exclude this either from the results and then fire an event on the remaining results or set a custom alert condition to alert on an event EXCEPT if it is from my IP.
This should be simple. Just missing it
you can list all your IP that you want to white lsit in CSV file then run your search againest that file
eg
tag=traffic NOT [|inputcsv kiristian_whitelist_IP.csv ]
good luck
can you share your search phrase please im trying to do similar thing.
@chrisprangnell Try this pseudo code
your base search | stats count by ip | search NOT [| inputlookup knowniplist.csv | table ip ]
I actually did get this to work using NOT. I just needed to be more creative. Thanks
Normally this would work yes but the way I am manipulating the data I cant seem to make the NOT command fit. Is there a way to get results of A, C, F, G but exclude: F from my table results list?
Have you taken a look at the NOT operator? Or the !=
operator? Both could be used in your search to exclude results otherwise matching your search criteria.
/K