Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove multiple values of attributes using single NOT

vittal_kumar
Engager
‎03-10-2017 02:48 AM

Hello Everyone,

I want to block multiple IP address I got my using IP!=xxx.xx.xx.xx OR IP!=yyy.yy.yy.yy

Is there any way to block all using single NOT command or any other like example IP NOT IN (xxx.xx.xx.xx OR yyy.yy.yy.yy)

Thanks in advance!

VK

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2017 04:11 AM

Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-10-2017 07:32 AM

For small list, you can use following subsearch method. Provide space separated list of IP in the subsearch eval command.

index=foo sourcetype=bar [| gentimes start=-1 | eval IP="xxx.xx.xx.xx yyy.yy.yy.yy zzz.zz.zz.zz"  | table IP | makemv IP  ] ..| rest of the search
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎03-10-2017 04:22 AM

Well, you can do something similar to what you wrote:

... NOT (IP=X OR IP=Y)

Splunk also understands CIDR notation in many cases, so if they're all 192.168.3.0/24 addresses, you can do that:

... NOT (IP=192.168.0.0/24)

Or you could put them in a lookup and remove them using a subsearch:

... NOT [ | inputlookup <your lookup> ]

That last will take a bit of work to get going, but may ultimately be the better way to manage this if it's a sizeable list. See perhaps this discussion. There are lots more where that came from and if you want to go down that route ask!

Happy Splunking!
-Rich

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2017 04:11 AM

Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...