Solved: How to join filtering search

martaBenedetti · ‎06-16-2021

Hi community,

starting form a custom commands that returns a list of hostnames, I have the need to filter out:

platform != osx
domain NOT IN ("domain2", "domain3")
domain=domain1 hostname IN ("host1*","host2*")

In order to do so I'm trying different versions but I can't get the result I want.

With this search I can olny get these domain=domain1 hostname IN ("host1*","host2*") but all the hostname in a different domain than domain2 and domain3 are missing.

| getfe
| search platform != "osx" (domain =domain1 hostname IN ("host1*","host2*")) 
| append 
    [search NOT domain IN ("domain2", "domain3", "domain1")]

Can you please help me? I know I'm missin

Thanks a lot

Marta

yannK · ‎06-16-2021

what about an OR condition ?

( platform != osx ) 
AND  
( ( domain NOT IN ("domain2", "domain3") OR ( domain=domain1 hostname IN ("host1*","host2*") ) )

View solution in original post

yannK · ‎06-16-2021

what about an OR condition ?

( platform != osx ) 
AND  
( ( domain NOT IN ("domain2", "domain3") OR ( domain=domain1 hostname IN ("host1*","host2*") ) )

martaBenedetti · ‎06-17-2021

Yeah, actually I complicated my self....though of the OR condition this morning 😄

Thanks anyway!

How to join filtering search

join

subsearch

Simplifying the Analyst Experience with Finding-based Detections

[Puzzles] Solve, Learn, Repeat: Word Search

[Puzzles] Solve, Learn, Repeat: Advent of Code - Day 4

Join the Conversation