Hi Everyone,
I recently found the IN command
IP IN (10.72.168.*, 10.94.102.*, 10.80.134.*)
I was curious if there was an inverse to the IN command, as it only seems to work with inclusive fields and not if you are "not" looking for something.
Just generally curious as this would clean up some of my queries rather than typing field!= all the time.
Thanks for advance.
Steve
The NOT
operator should work on all logical functions, including IN
so try NOT IN
.
May be you can try NOT IP IN (10.72.168., 10.94.102., 10.80.134.*)
What version of Splunk you're using? In 6.6.0, something like this works fine.
...| where NOT IP IN ("x.x.x.x","y.y.y.y",....)