Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to return results from all countries but exclude a few states?

jwalzerpitt
Influencer
‎12-19-2016 08:31 AM

I created the following search query to cross search for users who successfully log in to a website and also received an email from a
specific sender (at the bottom), and I'm trying to filter out a few states. If I remove the | search state!=PA state!=OH state!=10 section the query runs and I see users logging in from both the US and outside the US.

However, with the | search state!=PA state!=OH state!=10 section in the search, my search is limited to only US based countries and countries outside the US are no longer listed in the results.

How can I return all countries and exclude a few states? I think my query isn't taking the fact that some countries do not have a state associated with them.

Thx

index=xxx url="https://xxx.xxx.xxx  NOT (x* OR x.y.* OR x.y.* OR x.y.* OR x.y.*) [search index=xxx SenderAddress="xxx@abc.com" |dedup user | fields user] | geoip "src_ip" | rename "src_ip"_latitude as "lat" | rename "src_ip"_longitude as "long" | rename "src_ip"_country_code as "country" | rename "src_ip"_region_name as "state" | table  _time user country state src_ip
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrishartsock
Path Finder
‎12-19-2016 08:51 AM

You could fill your null values. So before you do '| search state!=PA state!=OH state!=10', do ' | fillnull value=NULL state | '.

View solution in original post

Reply
Solved! Jump to solution
Solution

chrishartsock
Path Finder
‎12-19-2016 08:51 AM

You could fill your null values. So before you do '| search state!=PA state!=OH state!=10', do ' | fillnull value=NULL state | '.

Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎12-19-2016 09:01 AM

That worked - thx for he help!

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...