Splunk 8 - TSTATS WHERE IN () does not work with ...

samsonusmc · ‎12-03-2019

Providing Splunk 8 the following:

| tstats allow_old_summaries=t count from datamodel=Network_Traffic.All_Traffic where (nodename = All_Traffic.Traffic_By_Action.Allowed_Traffic) (All_Traffic.src_zone="INET") (All_Traffic.dest_ip=172.20.17.119) NOT All_Traffic.src_ip IN (40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14)by All_Traffic.src_ip, All_Traffic.action | sort - count

It doesn't filter out the subnets we asked to exclude... BUT it works on 7.3

samsonusmc · ‎12-03-2019

Nevermind.. Known issue
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/KnownIssues

2019-11-11 SPL-179357, SPL-179700 Negated subnet CIDR filter doesn't work in search.

Workaround:
Workaround:
limits.conf: [search] use_search_evaluator_v2=false

Examples searches that don't filter out values: index=_internal (NOT clientip=127.0.0.0/8) | stats count BY clientip

index=_internal (clientip!=127.0.0.0/8) | stats count BY clientip

index=_internal | stats count BY clientip | search (clientip!=127.0.0.0/8) | stats sum(count) BY clientip | noop search_optimization=false

Filtering with | where is OK: index=_internal | where NOT cidrmatch("127.0.0.0/8", clientip) | stats count BY clientip

Splunk 8 - TSTATS WHERE IN () does not work with CIDR

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!