https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547809#M37687 <P>index="fw" src_ip="192.168.10.*"<BR />| rex "192\.168\.10\.(?&lt;range&gt;\d{1,3})"<BR />| where range &gt;=11 AND range &lt;=126<BR />| dedup src_ip<BR />| makeresults count=24<BR />| streamstats count<BR />| eval count=count+1<BR />| eval count=count*5+1<BR />| eval src_ip="192.168.10.".count<BR />| stats values(src_ip) as src_ip<BR />| nomv src_ip<BR /><BR /><BR /></P><P><SPAN>You'll get that error.</SPAN></P><P><SPAN>Error in 'makeresults' command: This command must be the first command of a search.</SPAN></P> Wed, 14 Apr 2021 00:09:21 GMT nnonm111 2021-04-14T00:09:21Z https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547701#M37666 <DIV class="lang_select___3h6b5"><DIV><DIV class="dropdown_wrap___2x_qn target___1bV2b"><DIV class="dropdown_top___13QlJ"><SPAN class="btn_dropdown_arr___2xcBb"><SPAN class="blind"><FONT><FONT>열기 / 닫기 아이콘</FONT></FONT></SPAN></SPAN></DIV></DIV></DIV></DIV><DIV class="edit_area___2iv-G"><DIV class="edit_box___1KtZ3 active___3VPGL font_step2___3vt9-"><SPAN><FONT><FONT>index = "fw"src_ip = "192.168.10. *" </FONT></FONT></SPAN><BR /><SPAN><FONT><FONT>| </FONT><FONT>rex "192 \ .168 \ .10 \. (? &lt;범위&gt; \ d {1,3})" </FONT></FONT></SPAN><BR /><SPAN><FONT><FONT>| </FONT><FONT>여기서 범위&gt; = 11 AND 범위 &lt;= 126 </FONT></FONT></SPAN><BR /><SPAN><FONT><FONT>| </FONT><FONT>중복 제거 src_ip </FONT></FONT></SPAN><BR /><SPAN><FONT><FONT>| </FONT><FONT>stats count </FONT></FONT></SPAN><BR /><BR /><SPAN><FONT><FONT>나는 위의 명령에서 ip를 얻고 있습니다. </FONT></FONT></SPAN><BR /><SPAN><FONT><FONT>192.168.10.16, 192.168.10.21, 192.168.10.26, 192.168.10.31 ~ 192.168.10.126의 네 가지 IP를 살펴보고 싶습니다. </FONT><FONT>방법이 있습니까?</FONT></FONT></SPAN></DIV></DIV> Tue, 13 Apr 2021 04:58:03 GMT https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547701#M37666 nnonm111 2021-04-13T04:58:03Z https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547705#M37667 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233055">@nnonm111</a>,</P><P>You question is not clear, could you please tell us what do you want to do with that four ip? (The list has actually five ips)</P> Tue, 13 Apr 2021 04:36:14 GMT https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547705#M37667 scelikok 2021-04-13T04:36:14Z https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547706#M37668 <P><SPAN>After 192.168.10.11 we would like to exclude 4 ip(192.168.10.12,13,14,15) by 192.168.10.126.</SPAN><BR /><BR /><SPAN>Output value:</SPAN><BR /><SPAN>192.168.10.11</SPAN><BR /><SPAN>192.168.10.16</SPAN><BR /><SPAN>192.168.10.21</SPAN><BR /><SPAN>.</SPAN><BR /><SPAN>.</SPAN><BR /><SPAN>.</SPAN><BR /><SPAN>192.168.10.126</SPAN></P> Tue, 13 Apr 2021 04:56:51 GMT https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547706#M37668 nnonm111 2021-04-13T04:56:51Z https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547714#M37669 <P>You can use regex to filter those ip addresses, please try below;</P><LI-CODE lang="markup">| regex src_ip!="192\.168\.10\.1[2-5]"</LI-CODE> Tue, 13 Apr 2021 05:42:24 GMT https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547714#M37669 scelikok 2021-04-13T05:42:24Z https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547716#M37670 <P><SPAN>The sql does not fit.</SPAN><BR /><BR /><SPAN>index=fw</SPAN><BR /><SPAN>filed=src_ip</SPAN><BR /><BR /><SPAN>python code</SPAN><BR /><SPAN>a = '192.168.11.'</SPAN><BR /><BR /><SPAN>for i in range(11,127,5):</SPAN><BR /><SPAN>ip = str(a)+str(i)</SPAN><BR /><SPAN>print(ip)</SPAN><BR /><BR /><SPAN>Can the pyhton be expressed in sql?</SPAN></P> Tue, 13 Apr 2021 06:06:47 GMT https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547716#M37670 nnonm111 2021-04-13T06:06:47Z https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547750#M37678 <P>Hi&nbsp;<a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/233055">@nnonm111</a>,</P><P>You can use below to create similar output to your pyhton code.</P><LI-CODE lang="markup">| makeresults count=24 | streamstats count | eval count=count+1 | eval count=count*5+1 | eval src_ip="192.168.10.".count | stats values(src_ip) as src_ip | nomv src_ip</LI-CODE> Tue, 13 Apr 2021 11:01:45 GMT https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547750#M37678 scelikok 2021-04-13T11:01:45Z https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547809#M37687 <P>index="fw" src_ip="192.168.10.*"<BR />| rex "192\.168\.10\.(?&lt;range&gt;\d{1,3})"<BR />| where range &gt;=11 AND range &lt;=126<BR />| dedup src_ip<BR />| makeresults count=24<BR />| streamstats count<BR />| eval count=count+1<BR />| eval count=count*5+1<BR />| eval src_ip="192.168.10.".count<BR />| stats values(src_ip) as src_ip<BR />| nomv src_ip<BR /><BR /><BR /></P><P><SPAN>You'll get that error.</SPAN></P><P><SPAN>Error in 'makeresults' command: This command must be the first command of a search.</SPAN></P> Wed, 14 Apr 2021 00:09:21 GMT https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547809#M37687 nnonm111 2021-04-14T00:09:21Z https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547827#M37689 <P>To use as a filter , you can use in a subsearch;</P><LI-CODE lang="markup">index="fw" src_ip="192.168.10.*" | dedup src_ip | search [| makeresults count=24 | streamstats count | eval count=count+1 | eval count=count*5+1 | eval src_ip="192.168.10.".count | stats values(src_ip) as src_ip ]</LI-CODE> Wed, 14 Apr 2021 04:07:50 GMT https://community.splunk.com/t5/Dashboards-Visualizations/specific-ip-remove-sql-questio/m-p/547827#M37689 scelikok 2021-04-14T04:07:50Z