Hello, I'm working on a use case where I have 1 source and 2 destinations. Everything that is found between the source and the 2 destinations need to be excluded. So I've used:
where source = X AND destination != Y OR destination != Z
But this will filter the logs and will display only the logs that comes from source X and the logs that comes from other sources will be excluded as well.
How I can exclude only from source X to destination Y and Z ?
Hi @danutmatei,
yes, this is the condition. it should run, otherwise, you can use the search command:
Ciao.
Giuseppe
Hi @danutmatei,
if you want to exclude from your results the events from source and one of the destinations, you could run something like this:
index=your_index NOT (source=X (destination=Y OR destination=Z))
| ...
Ciao.
Giuseppe
If I have the logs from a data model, can I use this ?
from datamodel=firewall_logs where NOT (source="X" (destination="Y" OR destination="Z"))
thank you
Hi @danutmatei,
yes, this is the condition. it should run, otherwise, you can use the search command:
Ciao.
Giuseppe
Hi @danutmatei,
good for you, see next time!
Ciao and happy splunking
Giuseppe
P.S.: Karma Points are appreciated 😉