Splunk Search

exclude two ranges in a search

New Member

I want to search my firewall log for tcp denials from the outside on port 22. So far, I have this:

"deny tcp source outside" /22

That seems to work.

Now, I want to exclude some vulnerability scanners...I'm thinking

"deny tcp source outside" /22 src_ip!=64.39.106.0/24 or 216.93.24.244

Not working so well...any suggestions?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

is src_ip an extracted field? if not the above will not work.
If it is, it still wont work, you might want to try

src_ip!="64.39.106.024" src_ip!=216.93.24.244  

If this is not an extracted field, then you might want to try with:

NOT 216.93.24.244 NOT 64.39.106.024
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!