Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- exclude IPs from results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want to exclude some IP addresses which are about over 100 in my search.
Seems silly to type NOT NOT NOT.. 100+ times.
source="dbmon-tail://netmanias/splunk_ads_click" NOT "61.247.204.36" NOT "61.247.204.38" NOT "61.247.204.37" NOT "61.247.204.39" NOT "61.247.204.35......"
Is there any good idea?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes! use a combination of a lookup file and a subsearch.
Put all your IP addresses into CSV file, called "ipAdd.csv" for example with the following contents:
match,ip
1,61.247.204.36
1,61.247.204.38
1,61.247.204.37
1,61.247.204.39
1,61.247.204.35
....
Create a transforms.conf file with the following stanza:
[ipAdd]
filename = ipAdd.csv
Check that Splunk likes this configuration/format by putting the following into a search box (note that the "|" should be the first character):
| inputlookup ipAdd
Assuming this returns the contents of the file, you can construct your search as follows:
source="dbmon-tail://netmanias/splunk_ads_click" NOT [|inputlookup ipAdd | rename ip AS query | fields query]
Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Aboutsubsearches
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources
http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork
Hope this helps,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If the IP addresses are in a specific range you could use the CIDR notation like this:
source="dbmon-tail://netmanias/splunk_ads_click" NOT 61.247.204.0/24
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes! use a combination of a lookup file and a subsearch.
Put all your IP addresses into CSV file, called "ipAdd.csv" for example with the following contents:
match,ip
1,61.247.204.36
1,61.247.204.38
1,61.247.204.37
1,61.247.204.39
1,61.247.204.35
....
Create a transforms.conf file with the following stanza:
[ipAdd]
filename = ipAdd.csv
Check that Splunk likes this configuration/format by putting the following into a search box (note that the "|" should be the first character):
| inputlookup ipAdd
Assuming this returns the contents of the file, you can construct your search as follows:
source="dbmon-tail://netmanias/splunk_ads_click" NOT [|inputlookup ipAdd | rename ip AS query | fields query]
Ref:
http://docs.splunk.com/Documentation/Splunk/5.0.3/Search/Aboutsubsearches
http://docs.splunk.com/Documentation/Splunk/5.0.3/Knowledge/Addfieldsfromexternaldatasources
http://docs.splunk.com/Documentation/Splunk/4.3.4/User/HowSubsearchesWork
Hope this helps,
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you so much!! I solved it!!
Take Action Automatically on Splunk Alerts with Red Hat Ansible Automation Platform
Calling All Security Pros: Ready to Race Through Boston?
Beyond Detection: How Splunk and Cisco Integrated Security Platforms Transform ...
