Is there an inverse to the IN Command?

Hi Everyone,

I recently found the IN command

IP IN (10.72.168.*, 10.94.102.*, 10.80.134.*)  

I was curious if there was an inverse to the IN command, as it only seems to work with inclusive fields and not if you are "not" looking for something.

Just generally curious as this would clean up some of my queries rather than typing field!= all the time.

Thanks for advance.


The NOT operator should work on all logical functions, including IN so try NOT IN.

May be you can try NOT IP IN (10.72.168., 10.94.102., 10.80.134.*)

What version of Splunk you're using? In 6.6.0, something like this works fine.

...| where NOT IP IN ("x.x.x.x","y.y.y.y",....)
