Splunk Search

How to edit my search to make an IF statement filter out IPs?

DrSplunkenstein
Engager

Hey guys!

I'm trying to filter out a few IPs from certain Categories and i just can't manage, something like:

IF category="Attempted information leak" AND NOT source_ip="127.0.0.1" OR destination_ip="127.0.0.2"

I still want the IP to appear in all other places except for under the category "Attempted information leak".

Any smart solutions?

0 Karma

DrSplunkenstein
Engager

Hey! Thanks alot for the quick replies guys!

I do want the attempt information leak category to stay in, but i want to filter the 2 ips away from only that 1 category, i hope that makes some sense!

I have this

Attempt info leak
12.23.45.56
18.45.798.2
127.0.0.1

I want to remove it so i only get

Attempt info leak
12.23.45.56
18.45.798.2

if i just write source_ip!="127.0.0.1" its removed from all categories

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi DrSplunkenstein,
for the first need, you have to insert in your searches the additional condition:

your_search category="Attempted information leak" NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") | ...

Regard the second need I didn't have understood it: do you want events with category="Attempted information leak" or not?

Bye.
Giuseppe

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is this a filter in the base search OR somewhere later in the search using where command?

Updated
Filter in Base search

index=foo sourcetype=bar NOT (category="Attempted information leak" AND NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") )

You can have same thing in where clause

....| where NOT (category="Attempted information leak" AND NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") )

somesoni2
SplunkTrust
SplunkTrust

Try the updated queries.

0 Karma

DrSplunkenstein
Engager

This worked! Thanks a ton ive been trying to make it work for 2 hours! Cheers!

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...