https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468760#M131986 <P>As far as I can tell, when using IN the CIDR address is seen as a single value and not as a CIDR value to expand. </P> <P>You would need to do it the old fashioned way:</P> <PRE><CODE>All_Traffic.src_ip=10.16.72.20 OR All_Traffic.src_ip=10.128.124.0/22 </CODE></PRE> <P>If you have several individual IPs, you could do those via IN:</P> <PRE><CODE>WHERE All_Traffic.src_ip IN (10.16.72.20, 10.16.73.20 ) OR All_Traffic.src_ip=10.128.124.0/22 OR All_Traffic.src_ip=10.34.124.0/22 </CODE></PRE> Wed, 04 Sep 2019 13:18:17 GMT solarboyz1 2019-09-04T13:18:17Z https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468754#M131980 <P>Hi Guys,</P> <P>Can you please tell me how to exclude/whitelist multiple ip adresses from the <STRONG>datamodel</STRONG> search</P> <P>here is the example:</P> <P><STRONG>All_Traffic.dest_ip!=10.10.10.10 All_Traffic.dest_ip!=10.10.10.10 All_Traffic.dest_ip!=10.10.10.13</STRONG></P> <P>I would like to have it more clear like: <STRONG>All_Traffic.dest_ip!=10.10.10.10, 10.10.10.10, 10.10.10.13</STRONG></P> <P>Unfortunately it doesn't work. Which parameter needs to be used ??</P> <P>Thanks!</P> Wed, 30 Sep 2020 01:59:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468754#M131980 dzejsonborn 2020-09-30T01:59:53Z https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468755#M131981 <P>You could use the IN operator</P> <PRE><CODE>... Where NOT All_Traffic.dest_ip IN (10.10.10.10, 10.10.10.10, 10.10.10.13) </CODE></PRE> <P><A href="https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Search#Multiple_field-value_comparisons_with_the_IN_operator">https://docs.splunk.com/Documentation/Splunk/7.3.1/SearchReference/Search#Multiple_field-value_comparisons_with_the_IN_operator</A></P> Wed, 28 Aug 2019 18:59:15 GMT https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468755#M131981 solarboyz1 2019-08-28T18:59:15Z https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468756#M131982 <P>Thank you !!!</P> Wed, 28 Aug 2019 19:33:10 GMT https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468756#M131982 dzejsonborn 2019-08-28T19:33:10Z https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468757#M131983 <P>And later on if I would like to add <STRONG>All_Traffic.dest_port and All_Traffic.transport!</STRONG> <BR /> Which parameter I should use ? </P> <P>I tried:</P> <P><STRONG>WHERE NOT (All_Traffic.src_port IN (80, 443) OR NOT All_Traffic.dest_port IN (80, 443, 22, 5060)</STRONG></P> <P>but it does not work.</P> Wed, 30 Sep 2020 01:57:14 GMT https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468757#M131983 dzejsonborn 2020-09-30T01:57:14Z https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468758#M131984 <P>I don't know how the NOT outside the parens impacts the NOT inside, also not sure what Logic you are trying to implement. </P> <P>This will find any events that <EM>don't</EM> have a src port of 80 or 443 or a dest of 80 443 22 5060. </P> <PRE><CODE>WHERE ( NOT All_Traffic.src_port IN (80, 443) AND NOT All_Traffic.dest_port IN (80, 443, 22, 5060) ) </CODE></PRE> <P>OR</P> <PRE><CODE>WHERE NOT ( All_Traffic.src_port IN (80, 443) OR All_Traffic.dest_port IN (80, 443, 22, 5060) ) </CODE></PRE> Thu, 29 Aug 2019 12:49:53 GMT https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468758#M131984 solarboyz1 2019-08-29T12:49:53Z https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468759#M131985 <P>and how about IP ranges, for example:</P> <P><STRONG>All_Traffic.src_ip IN (10.16.72.20, 10.128.124.0/22)</STRONG><BR /> ??</P> Wed, 30 Sep 2020 01:59:08 GMT https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468759#M131985 dzejsonborn 2020-09-30T01:59:08Z https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468760#M131986 <P>As far as I can tell, when using IN the CIDR address is seen as a single value and not as a CIDR value to expand. </P> <P>You would need to do it the old fashioned way:</P> <PRE><CODE>All_Traffic.src_ip=10.16.72.20 OR All_Traffic.src_ip=10.128.124.0/22 </CODE></PRE> <P>If you have several individual IPs, you could do those via IN:</P> <PRE><CODE>WHERE All_Traffic.src_ip IN (10.16.72.20, 10.16.73.20 ) OR All_Traffic.src_ip=10.128.124.0/22 OR All_Traffic.src_ip=10.34.124.0/22 </CODE></PRE> Wed, 04 Sep 2019 13:18:17 GMT https://community.splunk.com/t5/Splunk-Search/How-to-whitelist-multiple-IP-addresses-from-datamodel-search-no/m-p/468760#M131986 solarboyz1 2019-09-04T13:18:17Z