Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove multiple values of attributes using single NOT

vittal_kumar
Engager
‎03-10-2017 02:48 AM

Hello Everyone,

I want to block multiple IP address I got my using IP!=xxx.xx.xx.xx OR IP!=yyy.yy.yy.yy

Is there any way to block all using single NOT command or any other like example IP NOT IN (xxx.xx.xx.xx OR yyy.yy.yy.yy)

Thanks in advance!

VK

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2017 04:11 AM

Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-10-2017 07:32 AM

For small list, you can use following subsearch method. Provide space separated list of IP in the subsearch eval command.

index=foo sourcetype=bar [| gentimes start=-1 | eval IP="xxx.xx.xx.xx yyy.yy.yy.yy zzz.zz.zz.zz"  | table IP | makemv IP  ] ..| rest of the search
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎03-10-2017 04:22 AM

Well, you can do something similar to what you wrote:

... NOT (IP=X OR IP=Y)

Splunk also understands CIDR notation in many cases, so if they're all 192.168.3.0/24 addresses, you can do that:

... NOT (IP=192.168.0.0/24)

Or you could put them in a lookup and remove them using a subsearch:

... NOT [ | inputlookup <your lookup> ]

That last will take a bit of work to get going, but may ultimately be the better way to manage this if it's a sizeable list. See perhaps this discussion. There are lots more where that came from and if you want to go down that route ask!

Happy Splunking!
-Rich

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2017 04:11 AM

Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

AI for AppInspect

We’re excited to announce two new updates to AppInspect designed to save you time and make the app approval ...

App Platform's 2025 Year in Review: A Year of Innovation, Growth, and Community

As we step into 2026, it’s the perfect moment to reflect on what an extraordinary year 2025 was for the Splunk ...

Operationalizing Entity Risk Score with Enterprise Security 8.3+

Overview Enterprise Security 8.3 introduces a powerful new feature called “Entity Risk Scoring” (ERS) for ...