Solved: Remove multiple values of attributes using single ... - Splunk Community

Splunk Search

Highlighted

Hello Everyone,

I want to block multiple IP address I got my using IP!=xxx.xx.xx.xx OR IP!=yyy.yy.yy.yy

Is there any way to block all using single NOT command or any other like example IP NOT IN (xxx.xx.xx.xx OR yyy.yy.yy.yy)

Thanks in advance!

VK

1 Solution

Highlighted

Solution

Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.

Bye.
Giuseppe

View solution in original post

Highlighted

Well, you can do something similar to what you wrote:

... NOT (IP=X OR IP=Y)

Splunk also understands CIDR notation in many cases, so if they're all 192.168.3.0/24 addresses, you can do that:

... NOT (IP=192.168.0.0/24)

Or you could put them in a lookup and remove them using a subsearch:

... NOT [ | inputlookup <your lookup> ]

That last will take a bit of work to get going, but may ultimately be the better way to manage this if it's a sizeable list. See perhaps this discussion. There are lots more where that came from and if you want to go down that route ask!

Happy Splunking!
-Rich

Highlighted

For small list, you can use following subsearch method. Provide space separated list of IP in the subsearch eval command.

index=foo sourcetype=bar [| gentimes start=-1 | eval IP="xxx.xx.xx.xx yyy.yy.yy.yy zzz.zz.zz.zz"  | table IP | makemv IP  ] ..| rest of the search