How to exclude the results by filtering source IPs...

dpdwibedy · ‎04-27-2020

Hi , Sorry , if I am asking duplicate question.

Looking for something like this....

1) I have a list of source IPs in a csv file , which I want to exclude from the results.
2) Then filter the results with different fields.

index=abc_splunk sourcetype=access_log uri!="/healthcheck" |lookup Source_IPs.csv rIP OUTPUT rIP as RealIP | where isnull(RealIP) | stats count by uri,http_status

This works , but if I add "stats count by realIP, uri,http_status" then it doesn't work.

Do I need to use "fillnull" as well here ? If yes , then how can I use it for different fields ?

Thanks,
DD

richgalloway · ‎04-27-2020

You can't perform stats on a null field (RealIP). You will get no results. Your where clause says you want to see events without a RealIP value, therefore, it makes no sense to include RealIP in your stats. You could specify | fillnull value="0.0.0.0" RealIP, but what value would that add to your results?

---
If this reply helps you, Karma would be appreciated.

dpdwibedy · ‎04-27-2020

Hi,

I want to exclude the IPs which are in the csv file from the search results , but want to display rest of the IPs.

How can I list rest of the IPs with other stats ?

richgalloway · ‎04-27-2020

Try this:

index=abc_splunk sourcetype=access_log uri!="/healthcheck" NOT [ | inputlookup Source_IPs.csv | rename rIP as RealIP | format ] | stats count by RealIP, uri,http_status

---
If this reply helps you, Karma would be appreciated.

to4kawa · ‎04-27-2020

realIP
field name is case sensitive.

How to exclude the results by filtering source IPs from a lookup table and then filter the results by different fields.

Welcome to the Splunk Community!

Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM

Adoption of RUM and APM at Splunk