Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to edit my search to make an IF statement filter out IPs?

DrSplunkenstein
Engager
‎05-11-2017 08:39 AM

Hey guys!

I'm trying to filter out a few IPs from certain Categories and i just can't manage, something like:

IF category="Attempted information leak" AND NOT source_ip="127.0.0.1" OR destination_ip="127.0.0.2"

I still want the IP to appear in all other places except for under the category "Attempted information leak".

Any smart solutions?

0 Karma
Reply

DrSplunkenstein
Engager
‎05-11-2017 09:01 AM

Hey! Thanks alot for the quick replies guys!

I do want the attempt information leak category to stay in, but i want to filter the 2 ips away from only that 1 category, i hope that makes some sense!

I have this

Attempt info leak
12.23.45.56
18.45.798.2
127.0.0.1

I want to remove it so i only get

Attempt info leak
12.23.45.56
18.45.798.2

if i just write source_ip!="127.0.0.1" its removed from all categories

0 Karma
Reply

gcusello
SplunkTrust
SplunkTrust
‎05-11-2017 08:57 AM

Hi DrSplunkenstein,
for the first need, you have to insert in your searches the additional condition:

your_search category="Attempted information leak" NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") | ...

Regard the second need I didn't have understood it: do you want events with category="Attempted information leak" or not?

Bye.
Giuseppe

0 Karma
Reply

somesoni2
Revered Legend
‎05-11-2017 08:51 AM

Is this a filter in the base search OR somewhere later in the search using where command?

Updated
Filter in Base search

index=foo sourcetype=bar NOT (category="Attempted information leak" AND NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") )

You can have same thing in where clause

....| where NOT (category="Attempted information leak" AND NOT (source_ip="127.0.0.1" OR destination_ip="127.0.0.2") )
Reply

somesoni2
Revered Legend
‎05-11-2017 09:12 AM

Try the updated queries.

0 Karma
Reply

DrSplunkenstein
Engager
‎05-11-2017 09:30 AM

This worked! Thanks a ton ive been trying to make it work for 2 hours! Cheers!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...