Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Exclude filter for multiple strings in Queries
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am parsing the DNS logs in Splunk and in order to refine my search results, I use something like following.
For an IP Address: xxx.xxx.xxx.xxx, which sends DNS queries for a host at some point of time, I would like to view the list of all the different hosts queried.
So, my splunk search is:
xxx.xxx.xxx.xxx sourcetype="dns" | table _time, query
There are many results where I have entries of subdomains of yyy.com and zzz.com which I want to filter out.
I can write something like following for excluding just one of the domains from results like:
xxx.xxx.xxx.xxx sourcetype="dns" query!="yyy" | table _time, query
Now, 2 questions:
- How do I do this for 2 or more domains which I would like to exclude? Is there an option to use an AND or OR operator?
- How do I display only the unique query entries in the results?
I know we can use the below search to display all unique query entries and a count of them:
xxx.xxx.xxx.xxx sourcetype="dns" query!="yyy" | table _time, query | stats count by query
But this way, the _time column is not shown in the results which I would definitely not want to omit from the results.
Thanks.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, there is that option. The AND operator is implicit between search terms but can also be explicitly specified. The OR operator between search terms obviously removes the implicit AND. Additionally there is the NOT operator. So, you could do something like
xxx.xxx.xxx.xxx sourcetype="dns" NOT (query="*.yyy.com" OR query="*.zzz.com")That depends on what you consider "unique" - you say you want the time info in your results, but as long as you start removing events you will obviously also remove their corresponding time info. You could run
dedupwith the query field as an argument to only get one event per query. I think it would be interesting to get a count of queries towards each domain from each IP address and at what times they occurred, by doing something like this (assuming the IP address is extracted to a field calledip_address😞... | stats values(eval(strftime(_time,"%+"))) as querytime,count by ip_address,query
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, there is that option. The AND operator is implicit between search terms but can also be explicitly specified. The OR operator between search terms obviously removes the implicit AND. Additionally there is the NOT operator. So, you could do something like
xxx.xxx.xxx.xxx sourcetype="dns" NOT (query="*.yyy.com" OR query="*.zzz.com")That depends on what you consider "unique" - you say you want the time info in your results, but as long as you start removing events you will obviously also remove their corresponding time info. You could run
dedupwith the query field as an argument to only get one event per query. I think it would be interesting to get a count of queries towards each domain from each IP address and at what times they occurred, by doing something like this (assuming the IP address is extracted to a field calledip_address😞... | stats values(eval(strftime(_time,"%+"))) as querytime,count by ip_address,query
Unlock Database Monitoring with Splunk Observability Cloud
Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All
[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk
