It would be handy in Kibana to exclude a set of IP addresses without having to say !clientip:IP1 AND !clientip:IP2 AND ..... by doing something like clientip NOT IN [IP1, IP2, IP3] or being able to read the list of IPs to exclude from a saved table. Is there a way to do this?
It's not possible to do using a saved table, unfortunately.
The "filter bar" in modern versions of Kibana makes this a bit easier.
Also may be use DLS/FLS so they don’t return the data that has those fields/values?
It's good to know about DLS/FLS, but that's not a solution in this case. What I'm looking for is a way when running queries for doing log analysis to see the results that exclude a known list of hosts, such as the ones I'm responsible for. For instance, if I want to see all connections from IPs that are not my own or if I want to exclude connections that are to my database servers or something without having to enter every single IP or hostname. It would be handy to be able to reference them in some way. I could do a saved search, but then each saved search would need to be kept up to date.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.