2 Replies Latest reply on Mar 7, 2013 3:55 PM by nicole pauls

    nDepth query for IP

    HMote

      I open up the nDepth query and enter my IP say 10.20.30.40 search.  The nDepth query seems to see that as, I need to find "10" or "20" or "30" or "40" when I actually want it to search for "10.20.30.40".

       

      What am I doing wrong?  I'm wanting to find any traffic with a certain IP in any field.

        • Re: nDepth query for IP
          michoudi

          I suspect you are typing your query into the wrong search box. What you want to do is create a search where IP Address = 10.20.30.40. See screenshot below:

           

          query.png

          1 of 1 people found this helpful
          • Re: nDepth query for IP
            nicole pauls

            Using the IP Address search is awesome if you want to search for that address in one of the IP fields (Source Machine, Destination Machine, Detection IP, Insertion IP, a couple of other related fields). This should be the majority of where you see IP address values. You'll probably have to do a simple search first, then you can drag an IP Address from the Refine Fields (on the left) up to Conditions, make sure it's the one you want, and erase anything else.

             

            When you search for just the text string "10.20.30.40" anywhere using the general text search, what happens is the system searches for "10" AND "20" AND "30" AND "40". The dot is a breaking element in the data so that you can also search for partial match IP addresses - it wasn't technically easy to have it both ways (make it possible to search for "10.20.30.*" and "10.20.30.40"), though we're looking at changing the way text searching like this works in an upcoming release. This also happens with slashes (so that you can search username or domain name without having to search both) and things like colons/semicolons similarly.

             

            As long as all of those numbers appear in the data, the search will match - generally it's going to be most common that you only find that with IP addresses, and it should get you very close to what you intended - since it's pretty uncommon that all 4 parts of the IP address would also be in random other data somewhere.

             

            You can also filter stuff OUT of your search by making the equals a not equals and adding it on, or narrowing your search by alert name or other data. So you could search for "10.20.30.40" AND event name = UserLogonFailure or something like that.