Hello splunkers !
Today I'm building a report, in which I'm tasked to exclude some specific results. These are typical windows authentication logs.
I have certain IP's, and logon type, which when they match should be excluded.
For instance, let's say I have an authentication from IP 18.104.22.168 and a logon type 4, I must exclude it from the report. But I can't specify in my alert
ip="22.214.171.124" AND logon_type!=4
That would only select IP 126.96.36.199 while I want to keep every IP, except 188.8.131.52 when logon type equals 4.
I found a solution with the eval function :
... request ...| eval exclude=if(( ip="184.108.40.206" AND logon_type="4"), "true", "false")) | where exclude!="true" | ... do some formating ...
I wonder then : isn't there another solution to my problem ? Because this one sounds counter intuitiv, having to create a new field with a specific value only to sort which row to keep and which ones to exclude.