Hi , Sorry , if I am asking duplicate question.
Looking for something like this....
1) I have a list of source IPs in a csv file , which I want to exclude from the results.
2) Then filter the results with different fields.
index=abc_splunk sourcetype=access_log uri!="/healthcheck" |lookup Source_IPs.csv rIP OUTPUT rIP as RealIP | where isnull(RealIP) | stats count by uri,http_status
This works , but if I add "stats count by realIP, uri,http_status" then it doesn't work.
Do I need to use "fillnull" as well here ? If yes , then how can I use it for different fields ?
Thanks,
DD
You can't perform stats
on a null field (RealIP). You will get no results. Your where
clause says you want to see events without a RealIP value, therefore, it makes no sense to include RealIP in your stats. You could specify | fillnull value="0.0.0.0" RealIP
, but what value would that add to your results?
Hi,
I want to exclude the IPs which are in the csv file from the search results , but want to display rest of the IPs.
How can I list rest of the IPs with other stats ?
Try this:
index=abc_splunk sourcetype=access_log uri!="/healthcheck" NOT [ | inputlookup Source_IPs.csv | rename rIP as RealIP | format ] | stats count by RealIP, uri,http_status
realIP
field name is case sensitive.