Solved: Search '!=' does not work after upgrading to Splun...

girtsgr · ‎11-07-2019

Anybody else having issues with search operator '!=' after upgrading to Splunk Enterprise 8?

My search is index=myindex | search src_ip!=10.0.0.0/8 and after the upgrade Splunk started to return all the local addresses in the search results. Any ideas what to do?

martin_mueller · ‎11-08-2019

Looks like a bug to me, I've filed a case ¯\(ツ)/¯

View solution in original post

mbrunetto · ‎01-06-2020

Worked a similar issue with support, but couldn't use the "where" option due to the way my search was formed. You can also make a change to limits.conf to use the old behavior. Documenting here in case anyone else finds this article looking for a similar solution.

Workaround:
limits.conf: [search] use_search_evaluator_v2=false

Tracked as Splunk Issues: SPL-179357, SPL-179700
Reference:
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/Knownissues

garias_splunk · ‎11-12-2019

There is a workaround, try this:
use a "| where" command instead, example:
index=_internal
| where NOT cidrmatch("127.0.0.0/8", clientip)
| stats count BY clientip

girtsgr · ‎11-12-2019

Yeah, already got the support email and implemented it in some cases, and also posted here.

mhoogcarspel_sp · ‎11-12-2019

Just to be clear, it's the combination of:
Splunk 8.0.0
search
negation (!=, NOT)
in combination with CIDR based filtering (10.0.0.0/8)

where command with cidrmatch isn't affected
negation of non-CIDR values isn't affected

girtsgr · ‎11-12-2019

Fails without search command as well, eg, index=myindex src_ip!=10.0.0.0/8

But yes:

where command with cidrmatch isn't affected
negation of non-CIDR values isn't affected
true

mhoogcarspel_sp · ‎11-13-2019

"index=myindex src_ip!=10.0.0.0/8" is also the search command, any search string without a command at the beginning is actually "| search ... " 🙂

martin_mueller · ‎11-08-2019

Looks like a bug to me, I've filed a case ¯\(ツ)/¯

martin_mueller · ‎11-11-2019

Repro'd by support, bug SPL-179357.

girtsgr · ‎11-12-2019

FYI: support suggested a workaround:

There is a workaround, try this:
use a "| where" command instead, example:
index=_internal
| where NOT cidrmatch("127.0.0.0/8", clientip)
| stats count BY clientip

niketn · ‎11-13-2019

Adding a where to second pipe would mean query will become expensive. You will be pulling all IPs from index then filtering out one is a very bad search to execute. This can be a workaround only if your Splunk Infrastructure can support and only if dashboard somehow still performs.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

martin_mueller · ‎11-13-2019

Not really, no. The original NOT field=value for search-time fields is slow already, not making it to lispy. Moving it to a where won't change scanCount.

niketn · ‎11-13-2019

I did NOT see that. Thanks for correction 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

girtsgr · ‎11-11-2019

Is it worth to file another report? Will that help to escalate the priority of this bug?

martin_mueller · ‎11-11-2019

Can't hurt to tell support that you're affected too. At the very least they'll then tell you when a fix is available.

girtsgr · ‎11-11-2019

Thanks, done.

manjunathmeti · ‎11-07-2019

Try index=myindex src_ip!="10.0.0.0/8" OR index=myindex NOT src_ip="10.0.0.0/8".

girtsgr · ‎11-07-2019

Tried it already, no luck.

Search '!=' does not work after upgrading to Splunk 8

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?