- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How Can I View IPs That Have NOT Generated Events?
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For example, I want to run the following search and have splunk output IPs that do NOT show up in the results.
index=blah dest_ip=10.0.0.0/16
I imagine i need to use the stats count function but I have yet to figure it out.
edit: I have a list of ~1600 hosts and I want to see which ones in this list have not generated any events.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you've list of IP's, I'm assuming that you've a string list of IPs which you want to check if they have any events from that IP. If this is correct try this (gentimes is just placeholder creator)
index=blah [| gentimes start=-1 | eval dest_ip="Your comma separated IP list, e.g. IP1,IP2,... etc" | table dest_ip | makemv dest_ip delim="," | mvexpand dest_ip ] | stats count by dest_ip | eval Type="Have Events" | append [| gentimes start=-1 | eval dest_ip="Your comma separated IP list, e.g. IP1,IP2,... etc" | table dest_ip | makemv dest_ip delim="," | mvexpand dest_ip | eval Type="No Events"] | stats values(Type) as Type by dest_ip | where mvcount(Type)=1 AND Type="No Events"
This should give you IP from your list of IP which don't have any events in Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Finally got it working...
first, create a lookup table first with the IPs that I want to cross reference:
index=nessus severity=critical | stats count by dest_ip | table dest_ip | outputlookup crit_vuln_hosts.csv
second, cross reference that table against all of my indexes except for the nessus one:
| inputlookup crit_vuln_hosts.csv | fields dest_ip | search NOT [ search index!=nessus | dedup dest_ip | fields dest_ip ]
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you say you've list of IP's, I'm assuming that you've a string list of IPs which you want to check if they have any events from that IP. If this is correct try this (gentimes is just placeholder creator)
index=blah [| gentimes start=-1 | eval dest_ip="Your comma separated IP list, e.g. IP1,IP2,... etc" | table dest_ip | makemv dest_ip delim="," | mvexpand dest_ip ] | stats count by dest_ip | eval Type="Have Events" | append [| gentimes start=-1 | eval dest_ip="Your comma separated IP list, e.g. IP1,IP2,... etc" | table dest_ip | makemv dest_ip delim="," | mvexpand dest_ip | eval Type="No Events"] | stats values(Type) as Type by dest_ip | where mvcount(Type)=1 AND Type="No Events"
This should give you IP from your list of IP which don't have any events in Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome, this is exactly what I needed. I tested it out with two bogus IPs over a 30 second period and it worked. Trying it now with a list of 1500 IPs and hoping it doesn't crash.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't think I can understand the requirement here? Does this search returns some field name with IP address and you want to exclude those IP from search results and show everything else??
Shot in dark, try this
index=blah NOT [search index=blah dest_ip=10.0.0.0/16 | stats count by YourIPField | table YourIPField] | stats count by YourIPField
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Say I have a list of 5 IPs: 10.0.0.1 - 10.0.0.5. I want to see which one of those 5 IPs have yet to generate an event. If I just exclude 10.0.0.0/16 I will get results for 172.1.1.1, 192.168.1.1, etc... if 10.0.0.3 was the only IP to not generate an event then I want 10.0.0.3 to be the only result from the splunk search.
So 10.0.0.3 does not exist anywhere in a splunk index... maybe its not possible and I just need to pull all IPs that exist in a splunk field and then diff it against my list of IPs?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For events, like this:
index=blah NOT dest_ip=10.0.0.0/16
Or
index=blah | regex dest_ip!=10.0.0.0/16
For just IPs, like this:
index=blah NOT dest_ip=10.0.0.0/16 | stats values(dest_ip)
Or, if I am being too literal, perhaps you need to make use of the above but ALSO the cidrmatch function:
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/CommonEvalFunctions
Announcing Scheduled Export GA for Dashboard Studio
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!
