Solved: How to edit my search to return results from all c...

jwalzerpitt · ‎12-19-2016

I created the following search query to cross search for users who successfully log in to a website and also received an email from a
specific sender (at the bottom), and I'm trying to filter out a few states. If I remove the | search state!=PA state!=OH state!=10 section the query runs and I see users logging in from both the US and outside the US.

However, with the | search state!=PA state!=OH state!=10 section in the search, my search is limited to only US based countries and countries outside the US are no longer listed in the results.

How can I return all countries and exclude a few states? I think my query isn't taking the fact that some countries do not have a state associated with them.

Thx

index=xxx url="https://xxx.xxx.xxx  NOT (x* OR x.y.* OR x.y.* OR x.y.* OR x.y.*) [search index=xxx SenderAddress="xxx@abc.com" |dedup user | fields user] | geoip "src_ip" | rename "src_ip"_latitude as "lat" | rename "src_ip"_longitude as "long" | rename "src_ip"_country_code as "country" | rename "src_ip"_region_name as "state" | table  _time user country state src_ip

chrishartsock · ‎12-19-2016

You could fill your null values. So before you do '| search state!=PA state!=OH state!=10', do ' | fillnull value=NULL state | '.

View solution in original post

chrishartsock · ‎12-19-2016

You could fill your null values. So before you do '| search state!=PA state!=OH state!=10', do ' | fillnull value=NULL state | '.

jwalzerpitt · ‎12-19-2016

That worked - thx for he help!

How to edit my search to return results from all countries but exclude a few states?

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...