Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to edit my search to return results from all countries but exclude a few states?

jwalzerpitt
Influencer
‎12-19-2016 08:31 AM

I created the following search query to cross search for users who successfully log in to a website and also received an email from a
specific sender (at the bottom), and I'm trying to filter out a few states. If I remove the | search state!=PA state!=OH state!=10 section the query runs and I see users logging in from both the US and outside the US.

However, with the | search state!=PA state!=OH state!=10 section in the search, my search is limited to only US based countries and countries outside the US are no longer listed in the results.

How can I return all countries and exclude a few states? I think my query isn't taking the fact that some countries do not have a state associated with them.

Thx

index=xxx url="https://xxx.xxx.xxx  NOT (x* OR x.y.* OR x.y.* OR x.y.* OR x.y.*) [search index=xxx SenderAddress="xxx@abc.com" |dedup user | fields user] | geoip "src_ip" | rename "src_ip"_latitude as "lat" | rename "src_ip"_longitude as "long" | rename "src_ip"_country_code as "country" | rename "src_ip"_region_name as "state" | table  _time user country state src_ip
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

chrishartsock
Path Finder
‎12-19-2016 08:51 AM

You could fill your null values. So before you do '| search state!=PA state!=OH state!=10', do ' | fillnull value=NULL state | '.

View solution in original post

Reply
Solved! Jump to solution
Solution

chrishartsock
Path Finder
‎12-19-2016 08:51 AM

You could fill your null values. So before you do '| search state!=PA state!=OH state!=10', do ' | fillnull value=NULL state | '.

Reply
Solved! Jump to solution

jwalzerpitt
Influencer
‎12-19-2016 09:01 AM

That worked - thx for he help!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk + ThousandEyes: Correlate frontend, app, and network data to troubleshoot ...

 Are you tired of troubleshooting delays caused by siloed frontend, application, and network data? We've got a ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI!Discover how Splunk’s agentic AI ...

🔐 Trust at Every Hop: How mTLS in Splunk Enterprise 10.0 Makes Security Simpler

From Idea to Implementation: Why Splunk Built mTLS into Splunk Enterprise 10.0  mTLS wasn’t just a checkbox ...