Splunk Search

exclude two ranges in a search

New Member

I want to search my firewall log for tcp denials from the outside on port 22. So far, I have this:

"deny tcp source outside" /22

That seems to work.

Now, I want to exclude some vulnerability scanners...I'm thinking

"deny tcp source outside" /22 src_ip!= or

Not working so well...any suggestions?

Tags (1)
0 Karma

Splunk Employee
Splunk Employee

is src_ip an extracted field? if not the above will not work.
If it is, it still wont work, you might want to try

src_ip!="" src_ip!=  

If this is not an extracted field, then you might want to try with: