topic Re: How to Exclude private IP range from transforms in Splunk Search

How to Exclude private IP range from transforms

neelamsantosh — Mon, 21 Dec 2020 06:09:16 GMT

I want to exclude the (dst="10.0.0.0/8" OR dst="172.16.0.0/12" OR dst="192.168.0.0/16") IP ranges.

my configurations:

props.conf:

TRANSFORMS-null = internal_Logs10, internal_Logs172, internal_Logs192

Transforms.conf:

[internal_Logs10]
REGEX = dst\=10\.0\.0\.0\/8
DEST_KEY = queue
FORMAT = nullQueue

[internal_Logs172]
REGEX = dst\=172\.16\.0\.0\/12
DEST_KEY = queue
FORMAT = nullQueue

[internal_Logs192]
REGEX = dst=192\.168\.0\.0\/16
#REGEX = dst=192\.168\.5.*
DEST_KEY = queue
FORMAT = nullQueue

it works perfectly for 192.168.5.* but not for subnet range.

kindly share or assist with configuration around the same.

nickhills — Mon, 21 Dec 2020 09:13:46 GMT

Splunk will not perform CIDR matches against regular expressions.

You will need to construct your regex to match the range of addresses you need

(10\.) (172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.) (192\.168\.)

But you should be able to do this in one stanza if you wish

[internal_IPs] REGEX = dst\=((?:10\.)|(?:172\.1[6-9]\.)|(?:172\.2[0-9]\.)|(?:172\.3[0-1]\.)|(?:192\.168\.)).+ DEST_KEY = queue FORMAT = nullQueue

neelamsantosh — Mon, 21 Dec 2020 05:19:33 GMT

its excluding all traffic/dst IP's
besides 10 its also considering 101 too in th eprivate ip address range

nickhills — Mon, 21 Dec 2020 09:18:29 GMT

I made a minor change to the answer above, but I can not reproduce the scenario you describe.