Hello Splunkers,
I'm trying to run a search against some logs that include a wild carded hostname, two error messages but exclude two IP addresses. I have the first parts down but excluding the IP addresses isn't quite working out. What am I doing wrong here? (IP's modified for the post)
host="*-contlr-wl.Domain.COM" error OR fail* admin NOT (123.123.123.123 AND 456.456.456.456)
So I'm getting all reports from contlr-wl machines.
I'm getting all the messages that have either error OR fail* in them
But the two IP addresses are still showing up. How do I exclude those from my search?
Thanks everyone.
You are telling the search engine to only exclude the IPs if they both appear in the same event.
Try
NOT "*123.123.123.123*" NOT "*456.456.456.456*"
You are telling the search engine to only exclude the IPs if they both appear in the same event.
Try
NOT "*123.123.123.123*" NOT "*456.456.456.456*"
Awesome! That did it!
Thanks!