Splunk Search

exclude two ranges in a search

New Member

I want to search my firewall log for tcp denials from the outside on port 22. So far, I have this:

"deny tcp source outside" /22

That seems to work.

Now, I want to exclude some vulnerability scanners...I'm thinking

"deny tcp source outside" /22 src_ip!= or

Not working so well...any suggestions?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

is src_ip an extracted field? if not the above will not work.
If it is, it still wont work, you might want to try

src_ip!="" src_ip!=  

If this is not an extracted field, then you might want to try with:

State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!