Hi,
This is one of the canned correlation searches included in Splunk Enterprise Security. How can I exclude events from a specific sourcetype from this search? My attempt to do this (which didn't work) is also below.
The original search:
| `src_dest_tracker("allowed")` | lookup local=true sans_blocklist_lookup src OUTPUTNEW src_ip as src_sans_ip,src_is_sans | lookup local=true sans_blocklist_lookup dest OUTPUTNEW dest_ip as dest_sans_ip,dest_is_sans | search dest_is_sans=true OR src_is_sans=true | eval sans_ip=if(dest_is_sans=="true",dest_sans_ip,sans_ip) | eval sans_ip=if(src_is_sans=="true",src_sans_ip,sans_ip) | fields + sourcetype,src,dest,sans_ip
My attempt to remove results from a sourcetype:
sourcetype!="IPS" | `src_dest_tracker("allowed")` | lookup local=true sans_blocklist_lookup src OUTPUTNEW src_ip as src_sans_ip,src_is_sans | lookup local=true sans_blocklist_lookup dest OUTPUTNEW dest_ip as dest_sans_ip,dest_is_sans | search dest_is_sans=true OR src_is_sans=true | eval sans_ip=if(dest_is_sans=="true",dest_sans_ip,sans_ip) | eval sans_ip=if(src_is_sans=="true",src_sans_ip,sans_ip) | fields + sourcetype,src,dest,sans_ip
My attempt produced the error: "Error in 'tstats' command: This command must be the first command of a search". I tried placing the "sourcetype!="IPS" elsewhere in the search string but just got more errors. Any help is appreciated. Thanks!
Try this (if not already tried)
| `src_dest_tracker("allowed")` | search NOT sourcetype="IPS" | lookup local=true sans_blocklist_lookup src OUTPUTNEW src_ip as src_sans_ip,src_is_sans | lookup local=true sans_blocklist_lookup dest OUTPUTNEW dest_ip as dest_sans_ip,dest_is_sans | search dest_is_sans=true OR src_is_sans=true | eval sans_ip=if(dest_is_sans=="true",dest_sans_ip,sans_ip) | eval sans_ip=if(src_is_sans=="true",src_sans_ip,sans_ip) | fields + sourcetype,src,dest,sans_ip
I don't know exactly what is in the src_dest_tracker
macro, so there might be a more efficient way to do what you want, but this will work
| `src_dest_tracker("allowed")`
| where sourcetype!="IPS"
| lookup local=true sans_blocklist_lookup src OUTPUTNEW src_ip as src_sans_ip,src_is_sans | lookup local=true sans_blocklist_lookup dest OUTPUTNEW dest_ip as dest_sans_ip,dest_is_sans | search dest_is_sans=true OR src_is_sans=true | eval sans_ip=if(dest_is_sans=="true",dest_sans_ip,sans_ip) | eval sans_ip=if(src_is_sans=="true",src_sans_ip,sans_ip) | fields + sourcetype,src,dest,sans_ip
The macro contains the initial search, so your condition must follow that. Note I put in in a where
command, as the second command in the pipeline. Everything else remains the same.
This also worked, but I could only select one answer as the "answer". But thank you!
Try this (if not already tried)
| `src_dest_tracker("allowed")` | search NOT sourcetype="IPS" | lookup local=true sans_blocklist_lookup src OUTPUTNEW src_ip as src_sans_ip,src_is_sans | lookup local=true sans_blocklist_lookup dest OUTPUTNEW dest_ip as dest_sans_ip,dest_is_sans | search dest_is_sans=true OR src_is_sans=true | eval sans_ip=if(dest_is_sans=="true",dest_sans_ip,sans_ip) | eval sans_ip=if(src_is_sans=="true",src_sans_ip,sans_ip) | fields + sourcetype,src,dest,sans_ip
This worked perfectly, thank you!