Hi
I am trying to perform a log search on my Cisco FTD “unparsed” data but this is not working:
where(“FTD-5-199017” AND “Accepted password” AND * NOT IN [$Monitor_Servers}])
The variable contains a list of ip addresses that I want to “exclude” from my search.
Bump 
it looks like your reference to the variable is missing a { after the dollar sign
where(“FTD-5-199017” AND “Accepted password” AND * NOT IN [${Monitor_Servers}])
copy and past error.
this is not working for me:
where(“FTD-5-199017” AND “Accepted password” AND NOT * IN [${Monitor_Servers}])
It is not excluding the IP addresses I have in the variable.
@antmar904 you need to use a key to compare the list of IPs against, you can’t use a * here .
It needs to be where (key NOT IN [${var}])
David
How do I do this with “unparsed data”? Do I have to create a custom parser?
You can use a capture group to look at data retroactively, but building a custom parsing rule would help for future logs
If you provide an example log I can help you construct an appropriate capture group
David
The export keeps coming out blank. Do you mean capture groups with regex? If you can help out with that or I can just create a custom parser.
Yes capture groups with regex allow you to query against previously ingested data, building a custom parsing rule is not retroactive.
If you just copy and paste a single log I can take a look
<165>May 30 2025 12:42:30: %FTD-5-199017: sshd[18139]: Accepted password for admin from 10.5.5.5 port 60390 ssh2
If you were to use
where(/from (?P[^ ]+)/ AND FTD-5-199017 AND Accepted password AND IP NOT IN [${Monitoreed_Servers}])
I think it should work
essentially my capture group is anchoring on the preceding "from " and grabbing everything up to the whitespace after the IP address.
David
Something is not right with the syntax. What would the capture group “key” name be? IP ?
I may have had a typo
try this
where(/from (?P<IP>[^ ]+)/ FTD-5-199017 AND "Accepted password" AND IP NOT IN [${Monitored_Servers}])groupby(IP)