Splunk Query Exclude Question

johann2017 · ‎03-26-2018

I am building a search query and trying to find the correct syntax to exclude specific combinations of source and destination IP addresses. For instance, in the search results I want to exclude results only between specific source and destination IPs. So if there is a lot of traffic happening between 192.168.1.5 and 192.168.1.20 I want to only exclude traffic between those two IPs, but still see traffic between 192.168.1.5 and other IPs.

skoelpin · ‎03-26-2018

cidrmatch is what your looking for

| eval IP_Range = if(cidrmatch("192.168.1.5/25",ip), "local", "not local"))

http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/ConditionalFunctions

skoelpin · ‎03-28-2018

@johann2017 did this work for you?

johann2017 · ‎04-05-2018

Hello Skoelpin. I don't think cidrmatch is what I need?

tiagofbmm · ‎03-26-2018

Hey

Imagine you want to exclude some combinations you have in a lookup, you could use:

yoursearch | NOT ( [ | inputlookup ipscombination | return 1000 source ,dest | rex field="search" mode=sed "s/OR/AND/g" ]

That would exclude the combinations of source/dest you have in a lookup.

johann2017 · ‎04-05-2018

Hey Tiago - where exactly in the query do I place the IP addresses? Does this work for only 2 IPs? Will it work for more than 2?

Splunk Query Exclude Question

Observability Highlights | January 2023 Newsletter

Security Highlights | January 2023 Newsletter

Platform Highlights | January 2023 Newsletter