Splunk Search

Exclude a known IP from results

MattQ
Explorer

I am returning query results that give a list of IPs on which an event has occurred. I want to create an alert to fire historically on the data if criteria is met HOWEVER I have a known IP address that will always meet the criteria (my IP). I would like to exclude this either from the results and then fire an event on the remaining results or set a custom alert condition to alert on an event EXCEPT if it is from my IP.

This should be simple. Just missing it

Tags (1)
0 Karma

mosman_splunk
Splunk Employee
Splunk Employee

you can list all your IP that you want to white lsit in CSV file then run your search againest that file

eg

tag=traffic NOT [|inputcsv kiristian_whitelist_IP.csv ]

good luck

0 Karma

chrisprangnell
Path Finder

can you share your search phrase please im trying to do similar thing.

0 Karma

sundareshr
Legend

@chrisprangnell Try this pseudo code

your base search | stats count by ip | search NOT [| inputlookup knowniplist.csv | table ip ] 
0 Karma

MattQ
Explorer

I actually did get this to work using NOT. I just needed to be more creative. Thanks

0 Karma

MattQ
Explorer

Normally this would work yes but the way I am manipulating the data I cant seem to make the NOT command fit. Is there a way to get results of A, C, F, G but exclude: F from my table results list?

0 Karma

kristian_kolb
Ultra Champion

Have you taken a look at the NOT operator? Or the != operator? Both could be used in your search to exclude results otherwise matching your search criteria.

/K

Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...