Here are some docs and query samples to get you started
What you are trying to achieve is entirely possible. You will want to use the "src" search module, which is documented here: Search Docs
The src module can filter based on the SRC field using direct comparison and subset filtering.
Here are your two queries using the src module:
tag=syslog src == 10.1.1.1 | table SRC DATA
tag=syslog src != 10.1.1.1 | unique SRC | table SRC DATAThe eval module can accomplish the same thing, but because it has significantly more capability, it has two caveats. First, it is not as type aware as some of the others so you may need to tell it what type it is expecting explicitly.,
tag=syslog unique SRC | eval toString(SRC) != "10.1.1.1" | table SRC DATA
The other thing to remember is that eval can do a lot more than filtering, so it must be a collapsing module. This may have significant performance impacts when used for bulk filtering.
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article