I am curious whether tags can be used to identify complete subnets. For example, I would like to assign the tag name "dmz1" to the field value pair dest_ip=10.1.0.0/16
. I would also like to assign the same tag name "dmz1" to the field value pair src_ip=10.1.0.0/16
.
After creating the tags, I ran the search sourcetype=cisco:asa tag::src_ip=dmz1
and received results. I ran the searchsourcetype=cisco:asa tag::dest_ip=dmz1
and I also ran results. When I attempted the search sourcetype=cisco:asa tag::src_ip=dmz1 tag::dest_ip!=dmz1
, no results were returned.
I did verify that when tag::src_ip=dmz1
, there are destination IP addresses which are not included in the subnet 10.1.0.0/16.
Is there some aspect of my logic which is incorrect? Assistance would be appreciated.
Thank you.
hi adamblock2,
I can give the answer to your question...........let me explain you by taking my example.....Below u can see i have one categorytag...given to categoryId= Accessories .....also see the number of events and tags in the below diagrams
and next same tag is given to another categoryId=Strategy
when you take a tag for both events with a name it will take both events or none at all .......solution to ur problem naming two tags one with source_ip and destination_ip......
index=* tag= categorytag AND categoryID!=STRATEGY--------no results u r doing a(intersection) !a==definetely null
i have created another tag as actiontag where action =purchase ( like destination_ip)
i write query like this index=* tag=categorytag NOT tag=actiontag
then u will get all the results for categories in category tag that doesnt have purchases...(ie..source ip).........let me know if it works
When you use tags, it just ORing the field values pair. You can verify that in the job inspector where it evaluates to real value.
So in your case , when you search sourcetype=cisco:asa tag::src_ip=dmz1 , your final search should be (src_ip=10.1.0.0/16 OR dest_ip=10.1.0.0/16)
and when you negate one , then most probably it cancels each other( can't verify though).
Can you check your job inspector to see what the final search (normalized search) splunk executes? that should give you a hint
I understand how if I were to say "tag=dmz1" that Splunk would OR this. However, if I specifically state "tag::src_ip=dmz1", wouldn't/shouldn't that direct Splunk to only apply dmz1 to src_ip?
Sorry but I dont' have a splunk env at the moment to try . But can you search that and see what job inspector says ?