We have a number of alerts in Splunk ES that are triggered by our external scanner. We want to be able to exclude our own external scanner from these alerts in Splunk ES. I have the CIDR range for our scanner however my training for Splunk ES is not until March. I would like to make a move on excluding the scanner from these alerts and looking at more meaningful alerts.
Thank you.
index=_internal
| search NOT 127.0.0.0/8
Hi, @saidshow
This query is the sample of exclude CIDR.
your_search
|search NOT your_ip_and_prefix
How about this?
Which version of ES? Maybe you could use MLTK. There's an example of filtering out the CIDR range of test servers by using .src!=10.11.36.0/24
: https://docs.splunk.com/Documentation/ES/6.0.0/Admin/MLTKoverview#Finding_outliers_with_DensityFunct...
Mate, that is terrific. I will see if I can get this working on Monday. Thank you for taking the time to assist. It is appreciated.
index=_internal
| search NOT 127.0.0.0/8
Hi, @saidshow
This query is the sample of exclude CIDR.
your_search
|search NOT your_ip_and_prefix
How about this?
I tried it and it worked just fine - it was actually so simple I overlooked it. This works both as:
my_search NOT field=value
and as
my_search
| search NOT field=value
I prefer the second as it is clearer in the search. Thank you again. Very simple.
The second is slower, so the first is fine. Happy splunking.
Thank you, this looks very simple. I will give this a try in a moment.