Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Remove multiple values of attributes using single NOT

vittal_kumar
Engager
‎03-10-2017 02:48 AM

Hello Everyone,

I want to block multiple IP address I got my using IP!=xxx.xx.xx.xx OR IP!=yyy.yy.yy.yy

Is there any way to block all using single NOT command or any other like example IP NOT IN (xxx.xx.xx.xx OR yyy.yy.yy.yy)

Thanks in advance!

VK

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2017 04:11 AM

Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.

Bye.
Giuseppe

View solution in original post

0 Karma
Reply
Solved! Jump to solution

somesoni2
Revered Legend
‎03-10-2017 07:32 AM

For small list, you can use following subsearch method. Provide space separated list of IP in the subsearch eval command.

index=foo sourcetype=bar [| gentimes start=-1 | eval IP="xxx.xx.xx.xx yyy.yy.yy.yy zzz.zz.zz.zz"  | table IP | makemv IP  ] ..| rest of the search
Reply
Solved! Jump to solution

Richfez
SplunkTrust
SplunkTrust
‎03-10-2017 04:22 AM

Well, you can do something similar to what you wrote:

... NOT (IP=X OR IP=Y)

Splunk also understands CIDR notation in many cases, so if they're all 192.168.3.0/24 addresses, you can do that:

... NOT (IP=192.168.0.0/24)

Or you could put them in a lookup and remove them using a subsearch:

... NOT [ | inputlookup <your lookup> ]

That last will take a bit of work to get going, but may ultimately be the better way to manage this if it's a sizeable list. See perhaps this discussion. There are lots more where that came from and if you want to go down that route ask!

Happy Splunking!
-Rich

Reply
Solved! Jump to solution
Solution

gcusello
SplunkTrust
SplunkTrust
‎03-10-2017 04:11 AM

Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.

Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...