Reputation: 21
In splunk How to apply Multiple filter on splunk
in splunk if we want to add multiple filter how can we do that easily . eg:-
index=indexer action= Null NOT IP IN (10.34.67.32 , 87.90.32.10.. so on)
Now question is if i have 519 IP which i want to exclude from result how can we do that easily..
I already tried below code but it was taking more time to write query
index = indexer action =Null IP!=10.34.67.32 IP!=87.90.32.10 so on..
Upvotes: 0
Views: 1512
Answers (2)
Reputation: 11
If the total IP addresses are 600 and you wish to exclude 519, instead you can use
index=indexer action=Null IP IN (10.34.67.31 , 87.90.32.11 ... so on)
Also, if you specific ranges of IP addresses you don't want, you can exclude or include them based on regex or wild-card.
Although, the above answer too is useful if you really have a huge list of IP addresses.
Upvotes: 0
Reputation: 2651
What I suggest is you create a CSV file of IPs you wish to exclude from your search.
IP
10.34.67.32
87.90.32.10
...
Create a lookup with this file as the source (refer to https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/Usefieldlookupstoaddinformationtoyourevents ). Let's call the lookup excluded_ips.
Now, you can do the following search to exclude the IPs from that file
index=indexer action= Null NOT [ | inputlookup excluded_ips | fields IP | format ]
The format command will change the list of IPs into ((IP=10.34.67.32) OR (IP=87.90.32.10)). So the expanded search that gets run is
index=indexer action= Null NOT ((IP=10.34.67.32) OR (IP=87.90.32.10))
Upvotes: 3
Related Questions
- Splunk filter one search by another
- How to use Splunk functions in the query
- How to add multiple queries in one search in Splunk
- how to apply multiple addition in Splunk
- nested condition in splunk
- How to do compound query with where clause in Splunk?
- Splunk how to combine two queries and get one answer
- How to append two queries in splunk?
- How to combine two queries in Splunk?
- Splunk query to filter results