Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove multiple values of attributes using single NOT

vittal_kumar
Engager
‎03-10-2017 02:48 AM

Hello Everyone,

I want to block multiple IP address I got my using IP!=xxx.xx.xx.xx OR IP!=yyy.yy.yy.yy

Is there any way to block all using single NOT command or any other like example IP NOT IN (xxx.xx.xx.xx OR yyy.yy.yy.yy)

Thanks in advance!

VK

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2017 04:11 AM

Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-10-2017 07:32 AM

For small list, you can use following subsearch method. Provide space separated list of IP in the subsearch eval command.

index=foo sourcetype=bar [| gentimes start=-1 | eval IP="xxx.xx.xx.xx yyy.yy.yy.yy zzz.zz.zz.zz"  | table IP | makemv IP  ] ..| rest of the search
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎03-10-2017 04:22 AM

Well, you can do something similar to what you wrote:

... NOT (IP=X OR IP=Y)

Splunk also understands CIDR notation in many cases, so if they're all 192.168.3.0/24 addresses, you can do that:

... NOT (IP=192.168.0.0/24)

Or you could put them in a lookup and remove them using a subsearch:

... NOT [ | inputlookup <your lookup> ]

That last will take a bit of work to get going, but may ultimately be the better way to manage this if it's a sizeable list. See perhaps this discussion. There are lots more where that came from and if you want to go down that route ask!

Happy Splunking!
-Rich

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2017 04:11 AM

Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...

Routing logs with Splunk OTel Collector for Kubernetes

The Splunk Distribution of the OpenTelemetry (OTel) Collector is a product that provides a way to ingest ...

Welcome to the Splunk Community!

(view in My Videos) We're so glad you're here! The Splunk Community is place to connect, learn, give back, and ...