Splunk Search

Search '!=' does not work after upgrading to Splunk 8

girtsgr
Explorer

Anybody else having issues with search operator '!=' after upgrading to Splunk Enterprise 8?

My search is index=myindex | search src_ip!=10.0.0.0/8 and after the upgrade Splunk started to return all the local addresses in the search results. Any ideas what to do?

Tags (2)
1 Solution

martin_mueller
SplunkTrust
SplunkTrust

Looks like a bug to me, I've filed a case ¯\(ツ)

View solution in original post

mbrunetto
Path Finder

Worked a similar issue with support, but couldn't use the "where" option due to the way my search was formed. You can also make a change to limits.conf to use the old behavior. Documenting here in case anyone else finds this article looking for a similar solution.

Workaround:
limits.conf: [search] use_search_evaluator_v2=false

Tracked as Splunk Issues: SPL-179357, SPL-179700
Reference:
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/Knownissues

garias_splunk
Splunk Employee
Splunk Employee

There is a workaround, try this:
use a "| where" command instead, example:
index=_internal
| where NOT cidrmatch("127.0.0.0/8", clientip)
| stats count BY clientip

girtsgr
Explorer

Yeah, already got the support email and implemented it in some cases, and also posted here.

0 Karma

mhoogcarspel_sp
Splunk Employee
Splunk Employee

Just to be clear, it's the combination of:
Splunk 8.0.0
search
negation (!=, NOT)
in combination with CIDR based filtering (10.0.0.0/8)

where command with cidrmatch isn't affected
negation of non-CIDR values isn't affected

0 Karma

girtsgr
Explorer

Fails without search command as well, eg, index=myindex src_ip!=10.0.0.0/8

But yes:

where command with cidrmatch isn't affected
negation of non-CIDR values isn't affected
true

0 Karma

mhoogcarspel_sp
Splunk Employee
Splunk Employee

"index=myindex src_ip!=10.0.0.0/8" is also the search command, any search string without a command at the beginning is actually "| search ... " 🙂

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Looks like a bug to me, I've filed a case ¯\(ツ)

martin_mueller
SplunkTrust
SplunkTrust

Repro'd by support, bug SPL-179357.

girtsgr
Explorer

FYI: support suggested a workaround:

There is a workaround, try this:
use a "| where" command instead, example:
index=_internal
| where NOT cidrmatch("127.0.0.0/8", clientip)
| stats count BY clientip

0 Karma

niketn
Legend

Adding a where to second pipe would mean query will become expensive. You will be pulling all IPs from index then filtering out one is a very bad search to execute. This can be a workaround only if your Splunk Infrastructure can support and only if dashboard somehow still performs.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

martin_mueller
SplunkTrust
SplunkTrust

Not really, no. The original NOT field=value for search-time fields is slow already, not making it to lispy. Moving it to a where won't change scanCount.

niketn
Legend

I did NOT see that. Thanks for correction 🙂

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

girtsgr
Explorer

Is it worth to file another report? Will that help to escalate the priority of this bug?

0 Karma

martin_mueller
SplunkTrust
SplunkTrust

Can't hurt to tell support that you're affected too. At the very least they'll then tell you when a fix is available.

0 Karma

girtsgr
Explorer

Thanks, done.

0 Karma

manjunathmeti
SplunkTrust
SplunkTrust

Try index=myindex src_ip!="10.0.0.0/8" OR index=myindex NOT src_ip="10.0.0.0/8".

0 Karma

girtsgr
Explorer

Tried it already, no luck.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...