Splunk 6.5.1
Splunk Enterprise Security (ES) 4.2.0
I wrote the correlation search below (show sources that trigger more than 100 IPS alerts) which triggers nicely but I'm trying to add exclusions to get my desired results. I'm looking to get the output of IPS alerts that only match Severity=4. I'm also looking to exclude CIDR ranges from the output, ex 10.0.0.0/8. Any thoughts?
| tstats allow_old_summaries=true values(IDS_Attacks.tag) as "tag",c(IDS_Attacks.signature) as "count" from datamodel=Intrusion_Detection where nodename=IDS_Attacks by "IDS_Attacks.src" | rename "IDS_Attacks.src" as "src" | where 'count'>100 | rename "tag" as "orig_tag"
... View more