Splunk Search

Excluding Messages With Custom Field Matching List of Values

deees
New Member

I'm tasked with auditing syslog messages from some network devices for suspicious activity. I can use the IN operator to extract the significant messages by message code.

Since some of these messages are legitimately generated by several management  servers, I want to remove those messages from the report. Blocking all the messages created by the management servers is excessive and could potentially create a security risk. I'm trying to restrict the filtering for these management server to the messages that are legitimate part of their operation.

I can select the syslog messages of interest using the message code field and a list of message numbers using the "IN" operator.

I wanted to use the same logic to exclude the management servers using the logic in the form of a "NOT  DEVICE_IP IN (192.168.1.10, 192.168.1.20, 192.168.1.30)"

Unfortunately, it doesn't work. What am I missing? Is there an equivalent function that will allow me to exclude a list of IP's? 

Labels (1)
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @deees,

try this:

NOT (DEVICE_IP="192.168.1.10" OR DEVICE_IP="192.168.1.20" OR DEVICE_IP="192.168.1.30")

Ciao.

Giuseppe

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...