Splunk Search

What is the best way to exclude 2 or more countries from iplocation src_ip results?

packet_hunter
Contributor

Let's say I want to look up IP location for all IPs by user, but I want to exclude 2 or more countries?

For example:

...| iplocation src_ip | search Country!="India" AND Country!="Canada" AND Country!="United Kingdom" |stats values(Country) values(Region) values(City) values(src_ip) by user

Is there a better way to exclude countries other than Country!= .... ?

0 Karma
1 Solution

niketn
Legend

@packet_hunter ... You can run both searches and compare in job inspector for performance. Only recommendation is that Inclusion is better than Exclusion also filtering upfront in the query is better than filtering later on. However, both in your case are not feasible so just check for performance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"

View solution in original post

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi packet_hunter,
the better way to dinamically manage exclusions in a search or to manage many exclusions at the same time is to put them in a lookup and exclude results from your search:

 ...| iplocation src_ip | search NOT [ | inputlookup exclusions.csv | fields Country] |stats values(Country) values(Region) values(City) values(src_ip) by user

In this way if you need to modify exclusions list you don't need to modify all you searches, but only lookup, and you search is slimmer.

Bye.
Giuseppe

bye.
Giuseppe

0 Karma

packet_hunter
Contributor

Thank you for suggestion, it is very good and I am making a note of it for future use.

0 Karma

niketn
Legend

@packet_hunter ... You can run both searches and compare in job inspector for performance. Only recommendation is that Inclusion is better than Exclusion also filtering upfront in the query is better than filtering later on. However, both in your case are not feasible so just check for performance.

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma

packet_hunter
Contributor

thank you all for the replies! Niketnilay please convert your comment to answer and I will accept.

0 Karma

jkat54
SplunkTrust
SplunkTrust

maybe

  | search NOT (Country=India OR Country=Canada OR Country="United Kingdom")
0 Karma

packet_hunter
Contributor

Thank you for the reply. By writing it this way, is NOT better than != in terms of search performance?

0 Karma

somesoni2
SplunkTrust
SplunkTrust

I don't think there is any performance different between those two methods (!= versus NOT). The only difference is when you use NOT to filter, it'll also keep the results where Country=null, whereas != will exclude them.

Do you see any performance issue in your query? The field Country is available after iplocation command and you're filtering right after that so I don't see any improvement there.

0 Karma

packet_hunter
Contributor

just have to convert to an answer for points, thankx

0 Karma

packet_hunter
Contributor

That is what I was thinking.
I just wanted to get some opinions on exclusion as I have heard that searching for NOT or != slows down searches.

Thank you

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...