Splunk Search
Highlighted

How do you exclude two matching field values in a search?

Explorer

Hello,

I want to make a very specific exclusion from my search. In my case, there are two different field names I am interested in excluding, but I only want to exclude the search result if they BOTH match a specific value. To be more clear:

If "threat_name=WindowsThreat" and "src_ip=192.168.1.0/24" then do not return the search result.
If "threat_name=WindowsThreat" and "src_ip=something other than 192.168.1.0/24" then yes return the search result.
0 Karma
Highlighted

Re: How do you exclude two matching field values in a search?

Explorer

| search NOT (threat_name="WindowsThreat" AND src_ip="192.168.1.0/24")
OR
| where threat_name!="WindowsThreat" AND src_ip="192.168.1.0/24"

Either of these will work to give you all results where threatname is not "WindowsThreat" and srcip is not explicitly "192.168.1.0/24". If you are wanting to exclude all src_ips that fall in the CIDR range 192.168.1.0/24. You will need to change the where to...

| where threat_name!="WindowsThreat" AND NOT cidrmatch("192.168.1.0/24", src_ip)

View solution in original post

0 Karma
Highlighted

Re: How do you exclude two matching field values in a search?

Explorer

Thank you! This worked

0 Karma
Speak Up for Splunk Careers!

We want to better understand the impact Splunk experience and expertise has has on individuals' careers, and help highlight the growing demand for Splunk skills.