×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
aminfosec
New Member
Member since: ‎06-22-2019
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎06-22-2019
Activity Feed
View All

How to exclude IPs from results while using Tstats...

by in Splunk Enterprise Security
‎06-22-2019 12:39 AM
‎06-22-2019 12:39 AM
Current search is essentially this: | tstats values(All_Traffic.src) as src from datamodel=Network_Traffic.All_Traffic by All_Traffic.dest | lookup mythreatlist IOC as dest OUTPUTNEW list | list=* | search NOT whitelistedSources | search NOT whitelistedDestinations The tstats model uses a sourcetype the returns logs that do not have the URL in them, only destination IP. This cannot change. A second sourcetype, stURL, does have the URLs. I am looking for a way to use a subsearch/join so that I can exclude all source IPs where the URL is splunkdotcom, even if the IP for splunkdotcom is on my threat list. I have tried to create the subsearch [search index=A sourcetype=stURL url="*splunkdotcom*" | fields src] to obtain all source IPs that visited splunk.com and then exclude them from my tstats search but it does not appear to be working as intended. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM