Have spent a lot of time on this today and still getting no where, frustrating!
Using standard splunk search I can use:
description=assign | where NOT cidrmatch("10.50.96.1/20",dest_ip) | where NOT cidrmatch("10.50.80.1/21",dest_ip) | where NOT cidrmatch("10.49.16.1/27",dest_ip) | rex mode=sed field=dest
"s/.company.domain.com//g" | where NOT like(dest, "Prefix1%") AND NOT like(dest, "Prefix2%") AND NOT like(dest, "Prefix3%") AND NOT like(dest, "Prefix4%") AND dest!=dest_mac
I get the desired results where I see hostnames with prefix's not specified in the search. Maybe 4 or 5 hostnames (dest field).
Ive turned the same syntax into a correlation search (check parsing using guided mode too - but leave the search as manual) and create a notable event, with the title
"Suspicious Host Discovered - $dest$ at $time$ on $date$"
I instead see:
"Suspicious Host Discovered - unknown at unknown on unknown"
There are also multiple events created (10s or 100s). If a normal search has 4 results, why does the incident dashboard not show 4 notable events from the correlation search which uses the same syntax? Doesnt seem very intuitive.
Tomorrows another day.
... View more