Solved: Filter out my own source IP Address

Kai191 · ‎04-01-2013

I have my search command as source="C:\Users\L30814\Desktop\1713.log" http | top 10 DestinationIP. What is the additional command to add in in order to filter out my own source IP Address??

gfuente · ‎04-01-2013

Hello

You could try something like:

source="C:\Users\L30814\Desktop\1713.log" http NOT "xxx.xxx.xxx.xxx" |  top 10 DestinationIP

But this would filter any event with that ip adress, not just "source" adresses.

If you have the field extracted you can do it better with this command:

source="C:\Users\L30814\Desktop\1713.log" http AND c_ip!="xxx.xxx.xxx.xxx" |  top 10 DestinationIP

Supposing that you source ip adress is extracted in the field c_ip

Regards

View solution in original post

gfuente · ‎04-01-2013

Hello

You could try something like:

source="C:\Users\L30814\Desktop\1713.log" http NOT "xxx.xxx.xxx.xxx" |  top 10 DestinationIP

But this would filter any event with that ip adress, not just "source" adresses.

If you have the field extracted you can do it better with this command:

source="C:\Users\L30814\Desktop\1713.log" http AND c_ip!="xxx.xxx.xxx.xxx" |  top 10 DestinationIP

Supposing that you source ip adress is extracted in the field c_ip

Regards

gfuente · ‎04-01-2013

No problem

You can mark it as "Correct answer" if you think it´s correct. Thanks

Kai191 · ‎04-01-2013

Thaks a lot!

Filter out my own source IP Address

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases