Exclude given IP from below splunk search query & modified it
IP required to exclude:
10.17.1.55
10.17.1.56
10.17.1.57
192.168.216.31
192.168.215.129
192.168.215.99
|tstats summariesonly=true count dc(All_Traffic.dest_ip) as "num_dest_ip",dc(All_Traffic.dest_port) as "num_dest_port", values(sourcetype) as sourcetype, values(All_Traffic.action) as "action" from datamodel="Network_Traffic"."All_Traffic" where (sourcetype="*") (All_Traffic.src_ip=10.0.0.0/8 OR All_Traffic.src_ip=192.168.0.0/16 OR All_Traffic.src_ip=172.16.0.0/12) AND (All_Traffic.dest_ip=10.0.0.0/8 OR All_Traffic.dest_ip=192.168.0.0/16 OR All_Traffic.dest_ip=172.16.0.0/12) by "All_Traffic.src_ip","All_Traffic.dest_port" , _time span=5m |rename "All_Traffic.*" as "*" |sort - count | where num_dest_ip>300 AND dest_port!="0"
... View more