Hey guys!
I'm trying to filter out a few IPs from certain Categories and i just can't manage, something like:
IF category="Attempted information leak" AND NOT source_ip="127.0.0.1" OR destination_ip="127.0.0.2"
I still want the IP to appear in all other places except for under the category "Attempted information leak".
Any smart solutions?
Hey! Thanks alot for the quick replies guys!
I do want the attempt information leak category to stay in, but i want to filter the 2 ips away from only that 1 category, i hope that makes some sense!
I have this
Attempt info leak
12.23.45.56
18.45.798.2
127.0.0.1
I want to remove it so i only get
Attempt info leak
12.23.45.56
18.45.798.2
if i just write source_ip!="127.0.0.1" its removed from all categories
Hi DrSplunkenstein,
for the first need, you have to insert in your searches the additional condition:
your_search category="Attempted information leak" NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") | ...
Regard the second need I didn't have understood it: do you want events with category="Attempted information leak" or not?
Bye.
Giuseppe
Is this a filter in the base search OR somewhere later in the search using where command?
Updated
Filter in Base search
index=foo sourcetype=bar NOT (category="Attempted information leak" AND NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") )
You can have same thing in where clause
....| where NOT (category="Attempted information leak" AND NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") )
Try the updated queries.
This worked! Thanks a ton ive been trying to make it work for 2 hours! Cheers!