Splunk Search

How to edit my search to make an IF statement filter out IPs?

DrSplunkenstein
Engager

Hey guys!

I'm trying to filter out a few IPs from certain Categories and i just can't manage, something like:

IF category="Attempted information leak" AND NOT source_ip="127.0.0.1" OR destination_ip="127.0.0.2"

I still want the IP to appear in all other places except for under the category "Attempted information leak".

Any smart solutions?

0 Karma

DrSplunkenstein
Engager

Hey! Thanks alot for the quick replies guys!

I do want the attempt information leak category to stay in, but i want to filter the 2 ips away from only that 1 category, i hope that makes some sense!

I have this

Attempt info leak
12.23.45.56
18.45.798.2
127.0.0.1

I want to remove it so i only get

Attempt info leak
12.23.45.56
18.45.798.2

if i just write source_ip!="127.0.0.1" its removed from all categories

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi DrSplunkenstein,
for the first need, you have to insert in your searches the additional condition:

your_search category="Attempted information leak" NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") | ...

Regard the second need I didn't have understood it: do you want events with category="Attempted information leak" or not?

Bye.
Giuseppe

0 Karma

somesoni2
SplunkTrust
SplunkTrust

Is this a filter in the base search OR somewhere later in the search using where command?

Updated
Filter in Base search

index=foo sourcetype=bar NOT (category="Attempted information leak" AND NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") )

You can have same thing in where clause

....| where NOT (category="Attempted information leak" AND NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") )

somesoni2
SplunkTrust
SplunkTrust

Try the updated queries.

0 Karma

DrSplunkenstein
Engager

This worked! Thanks a ton ive been trying to make it work for 2 hours! Cheers!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...