Splunk Search

exclude two ranges in a search

New Member

I want to search my firewall log for tcp denials from the outside on port 22. So far, I have this:

"deny tcp source outside" /22

That seems to work.

Now, I want to exclude some vulnerability scanners...I'm thinking

"deny tcp source outside" /22 src_ip!=64.39.106.0/24 or 216.93.24.244

Not working so well...any suggestions?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

is src_ip an extracted field? if not the above will not work.
If it is, it still wont work, you might want to try

src_ip!="64.39.106.024" src_ip!=216.93.24.244  

If this is not an extracted field, then you might want to try with:

NOT 216.93.24.244 NOT 64.39.106.024