Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Filter Specific results & include specific result in query

alexspunkshell
Contributor
‎06-12-2021 06:10 AM


If the user's AD & Logon locations are the same, then I am filtering the results with the below query. 

| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc

Now I want to filter the results for only below 2 "Event_Titles".

Event_Title = "Unfamiliar sign-in properties"
Event_Tilte = "Malware linked IP address"

And I want to also get all Event_Titles if the user's AD & Logon location is unique and different.

Please help here.

@scelikok @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana   @to4kawa @woodcock 

 

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-12-2021 10:37 AM 
| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc OR (Event_Title != "Unfamiliar sign-in properties" AND Event_Title != "Malware linked IP address")

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-12-2021 06:17 AM

Is this what you mean?

| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc AND Event_Title != "Unfamiliar sign-in properties" AND Event_Tilte != "Malware linked IP address"
Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎06-12-2021 06:50 AM

@ITWhisperer  Thanks much for your reply!

This query filters both Event_Title in the results. 

But I want to get all Event_Title in the result & particularly filter, if AD & Logon locations are same for "Unfamiliar sign-in properties" & "Malware linked IP address"

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-12-2021 08:18 AM

Does this match what you are asking for, i.e. only and all events for A in either ad loc or log loc so long as A is in ad loc and log loc at the same time for both the event titles you are interested in?

ad loclog locevent titlekeep
AAUnfamiliar sign-in propertiesYes
AAMalware linked IP addressYes
ABSomething elseYes
BASomething elseYes
BBUnfamiliar sign-in propertiesNo
BCMalware linked IP addressNo
CBMalware linked IP addressNo
BCSomething elseNo
Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎06-12-2021 08:28 AM

@ITWhisperer  Thanks for your prompt reply.

Below is the requirement

alexspunkshell_0-1623511677412.png

Any Location means no matter it is Same or Distinct location but needs to capture in the result.

Below query is filtering results for same AD & Logon location for all the alerts. 

But I want to filter for only for "Unfamiliar sign-in properties & Malware linked IP address" alert if the AD & Logon locations are different.

| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-12-2021 10:37 AM 
| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc OR (Event_Title != "Unfamiliar sign-in properties" AND Event_Title != "Malware linked IP address")
Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎06-12-2021 10:41 AM

| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc OR Event_Title!= "Unfamiliar sign-in properties" |where logloc!=adloc OR Event_Title!= "Malware linked IP address"

 

@ITWhisperer Thanks much. Above also gives the same result.

0 Karma
Reply
Get Updates on the Splunk Community!

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...

Introducing the 2024 Splunk MVPs!

We are excited to announce the 2024 cohort of the Splunk MVP program. Splunk MVPs are passionate members of ...

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...