Splunk Search

Is there an inverse to the IN Command?

New Member

Hi Everyone,

I recently found the IN command

IP IN (10.72.168.*, 10.94.102.*, 10.80.134.*)  

I was curious if there was an inverse to the IN command, as it only seems to work with inclusive fields and not if you are "not" looking for something.

Just generally curious as this would clean up some of my queries rather than typing field!= all the time.

Thanks for advance.

Steve

0 Karma

Esteemed Legend

The NOT operator should work on all logical functions, including IN so try NOT IN.

0 Karma

Motivator

May be you can try NOT IP IN (10.72.168., 10.94.102., 10.80.134.*)

0 Karma

SplunkTrust
SplunkTrust

What version of Splunk you're using? In 6.6.0, something like this works fine.

...| where NOT IP IN ("x.x.x.x","y.y.y.y",....)
0 Karma