Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
Solved! Jump to solution

Filter Specific results & include specific result in query

alexspunkshell
Contributor
‎06-12-2021 06:10 AM


If the user's AD & Logon locations are the same, then I am filtering the results with the below query. 

| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc

Now I want to filter the results for only below 2 "Event_Titles".

Event_Title = "Unfamiliar sign-in properties"
Event_Tilte = "Malware linked IP address"

And I want to also get all Event_Titles if the user's AD & Logon location is unique and different.

Please help here.

@scelikok @soutamo @saravanan90 @thambisetty @ITWhisperer @gcusello @bowesmana   @to4kawa @woodcock 

 

Labels (5)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-12-2021 10:37 AM 
| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc OR (Event_Title != "Unfamiliar sign-in properties" AND Event_Title != "Malware linked IP address")

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-12-2021 06:17 AM

Is this what you mean?

| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc AND Event_Title != "Unfamiliar sign-in properties" AND Event_Tilte != "Malware linked IP address"
Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎06-12-2021 06:50 AM

@ITWhisperer  Thanks much for your reply!

This query filters both Event_Title in the results. 

But I want to get all Event_Title in the result & particularly filter, if AD & Logon locations are same for "Unfamiliar sign-in properties" & "Malware linked IP address"

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-12-2021 08:18 AM

Does this match what you are asking for, i.e. only and all events for A in either ad loc or log loc so long as A is in ad loc and log loc at the same time for both the event titles you are interested in?

ad loclog locevent titlekeep
AAUnfamiliar sign-in propertiesYes
AAMalware linked IP addressYes
ABSomething elseYes
BASomething elseYes
BBUnfamiliar sign-in propertiesNo
BCMalware linked IP addressNo
CBMalware linked IP addressNo
BCSomething elseNo
Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎06-12-2021 08:28 AM

@ITWhisperer  Thanks for your prompt reply.

Below is the requirement

alexspunkshell_0-1623511677412.png

Any Location means no matter it is Same or Distinct location but needs to capture in the result.

Below query is filtering results for same AD & Logon location for all the alerts. 

But I want to filter for only for "Unfamiliar sign-in properties & Malware linked IP address" alert if the AD & Logon locations are different.

| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎06-12-2021 10:37 AM 
| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc OR (Event_Title != "Unfamiliar sign-in properties" AND Event_Title != "Malware linked IP address")
Reply
Solved! Jump to solution

alexspunkshell
Contributor
‎06-12-2021 10:41 AM

| rex field=Logon_Location "(?<logloc>\w\w$)"
| rex field=AD_Location "(?<adloc>\w\w$)"
| where logloc!=adloc OR Event_Title!= "Unfamiliar sign-in properties" |where logloc!=adloc OR Event_Title!= "Malware linked IP address"

 

@ITWhisperer Thanks much. Above also gives the same result.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas

Why Splunk Customers Should Attend Cisco Live 2026 Las Vegas     Cisco Live 2026 is almost here, and this ...

What Is the Name of the USB Key Inserted by Bob Smith? (BOTS Hint, Not the Answer)

Hello Splunkers,   So you searched, “what is the name of the usb key inserted by bob smith?”  Not gonna lie… ...

Automating Threat Operations and Threat Hunting with Recorded Future

    Automating Threat Operations and Threat Hunting with Recorded Future June 29, 2026 | Register   Is your ...