Skip to content

Instantly share code, notes, and snippets.

@tfhartmann
Created September 25, 2013 14:15
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tfhartmann/6700252 to your computer and use it in GitHub Desktop.
Save tfhartmann/6700252 to your computer and use it in GitHub Desktop.
Searches from Splunk Talk

In this case we are doing a lookup of all successes that are NOT rpc1918 address apce and formating the output in a table

`vpn` action="success" NOT Calling_Station_Id=10.0.0.0/8 | rename Calling_Station_Id as src_ip | stats dc(user) as Users by src_ip, user  | geoip src_ip  | search NOT src_ip_country_code=US | rename src_ip_country_name as Country | stats dc(user) as Users by Country| sort -Users
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment