- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: How to whitelist multiple IP addresses from da...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Guys,
Can you please tell me how to exclude/whitelist multiple ip adresses from the datamodel search
here is the example:
All_Traffic.dest_ip!=10.10.10.10 All_Traffic.dest_ip!=10.10.10.10 All_Traffic.dest_ip!=10.10.10.13
I would like to have it more clear like: All_Traffic.dest_ip!=10.10.10.10, 10.10.10.10, 10.10.10.13
Unfortunately it doesn't work. Which parameter needs to be used ??
Thanks!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use the IN operator
... Where NOT All_Traffic.dest_ip IN (10.10.10.10, 10.10.10.10, 10.10.10.13)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And later on if I would like to add All_Traffic.dest_port and All_Traffic.transport!
Which parameter I should use ?
I tried:
WHERE NOT (All_Traffic.src_port IN (80, 443) OR NOT All_Traffic.dest_port IN (80, 443, 22, 5060)
but it does not work.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know how the NOT outside the parens impacts the NOT inside, also not sure what Logic you are trying to implement.
This will find any events that don't have a src port of 80 or 443 or a dest of 80 443 22 5060.
WHERE ( NOT All_Traffic.src_port IN (80, 443) AND NOT All_Traffic.dest_port IN (80, 443, 22, 5060) )
OR
WHERE NOT ( All_Traffic.src_port IN (80, 443) OR All_Traffic.dest_port IN (80, 443, 22, 5060) )
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
and how about IP ranges, for example:
All_Traffic.src_ip IN (10.16.72.20, 10.128.124.0/22)
??
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As far as I can tell, when using IN the CIDR address is seen as a single value and not as a CIDR value to expand.
You would need to do it the old fashioned way:
All_Traffic.src_ip=10.16.72.20 OR All_Traffic.src_ip=10.128.124.0/22
If you have several individual IPs, you could do those via IN:
WHERE All_Traffic.src_ip IN (10.16.72.20, 10.16.73.20 ) OR All_Traffic.src_ip=10.128.124.0/22 OR All_Traffic.src_ip=10.34.124.0/22
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You could use the IN operator
... Where NOT All_Traffic.dest_ip IN (10.10.10.10, 10.10.10.10, 10.10.10.13)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you !!!
Splunk Custom Visualizations App End of Life
Introducing Splunk Enterprise 9.2
Adoption of RUM and APM at Splunk
