Splunk Search

How can I whitelist based on this 3 conditions- where condition with 3 arguments?

danutmatei
Explorer

Hi, I have an inputlookup with wSender, wSubject and wRecipient. I want to whitelist some of the emails sent by an user to a specific recipient that have a specific subject.

How can I whitelist based on this 3 conditions (Sender=X, Subject=Y, Recipient=Z) ?

I've tried: where Sender!=wSender AND Subject!=wSubject AND Recipient!=wRecipient but in this case all the email sent by wSender are whitelisted.

Also tried index=xxx AND NOT | inputlookup whitelist.csv fields wSender, wSubject, wRecipient - but the same result, the user from wSender is getting whitelisted for all the emails he sent not just the ones from wSubject.

Labels (1)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

By "whitelist", it looks like you are trying to filter OUT anything that matches all 3 fields in any row in your lookup - right? Try something like this

index=xxx AND NOT [| inputlookup whitelist.csv | fields wSender, wSubject, wRecipient | format]

 

View solution in original post

danutmatei
Explorer

working like a charm, thank you

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

By "whitelist", it looks like you are trying to filter OUT anything that matches all 3 fields in any row in your lookup - right? Try something like this

index=xxx AND NOT [| inputlookup whitelist.csv | fields wSender, wSubject, wRecipient | format]

 

Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...