Hello splunkers !
Today I'm building a report, in which I'm tasked to exclude some specific results. These are typical windows authentication logs.
I have certain IP's, and logon type, which when they match should be excluded.
For instance, let's say I have an authentication from IP 195.16.108.1 and a logon type 4, I must exclude it from the report. But I can't specify in my alert
ip="195.16.108.1" AND logon_type!=4
That would only select IP 195.16.108.1 while I want to keep every IP, except 195.16.108.1 when logon type equals 4.
I found a solution with the eval function :
... request ...| eval exclude=if(( ip="195.16.108.1" AND logon_type="4"), "true", "false")) | where exclude!="true" | ... do some formating ...
I wonder then : isn't there another solution to my problem ? Because this one sounds counter intuitiv, having to create a new field with a specific value only to sort which row to keep and which ones to exclude.
Hi jbdumoulin,
try to use parenthesis:
index=my_index NOT (ip="195.16.108.1" logon_type=4)
| ...
Bye.
Giuseppe
Hi jbdumoulin,
try to use parenthesis:
index=my_index NOT (ip="195.16.108.1" logon_type=4)
| ...
Bye.
Giuseppe
Thanks, really simple solution indeed.