https://community.splunk.com/t5/Splunk-Search/Using-Regex-to-search-events-from-a-specific-ip-range/m-p/543412#M153928 <P>If you are filtering data only on host=1.1.1.* then you can filter it using logical operators in the base search only:</P><P>&nbsp;</P><LI-CODE lang="markup">index=n sourcetype=c message_text="you should not have done that" (host&gt;="1.1.1.23" AND host&lt;="1.1.1.51") NOT (host&gt;="1.1.1.38" AND host&lt;="1.1.1.44") host!="1.1.1.26" host!="1.1.1.32"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 11 Mar 2021 15:38:42 GMT manjunathmeti 2021-03-11T15:38:42Z https://community.splunk.com/t5/Splunk-Search/Using-Regex-to-search-events-from-a-specific-ip-range/m-p/543397#M153923 <P>Hello, I am new to Splunk and REGEX for that matter. What I am trying to accomplish is creating an alert when a specific event occurs with in an IP range without having to create an alert for every IP individually. Here is my very basic query.</P><P>index=n sourcetype=c message_text="you should not have done that" host="1.1.1.?" I put the question mark in there because this where I am stuck. The last octet is a range beginning at 23, and ending at 51. Excluding .26, .32, and .38-.44. Thank you for your time.</P> Thu, 11 Mar 2021 15:11:01 GMT https://community.splunk.com/t5/Splunk-Search/Using-Regex-to-search-events-from-a-specific-ip-range/m-p/543397#M153923 813_Gerb 2021-03-11T15:11:01Z https://community.splunk.com/t5/Splunk-Search/Using-Regex-to-search-events-from-a-specific-ip-range/m-p/543405#M153926 <P>Hi</P><P>you should try&nbsp;<A href="https://docs.splunk.com/Documentation/Splunk/8.1.2/SearchReference/ConditionalFunctions#cidrmatch.28.22X.22.2CY.29" target="_blank">cidrmatch("X",Y)</A>.There are also quite many examples how to use lookups for that.</P><LI-CODE lang="markup">... | where cidrmatch ("1.1.1.x/2x", &lt;your IP&gt;) OR cidrmatch("1.1.1.y/2y", &lt;your IP) ....</LI-CODE><P>As you haven't "clean" IP blocks, you must match those to suitable blocks and/or use larger block and then remove unwanted IPs.</P><P>r. Ismo.</P> Thu, 11 Mar 2021 15:25:59 GMT https://community.splunk.com/t5/Splunk-Search/Using-Regex-to-search-events-from-a-specific-ip-range/m-p/543405#M153926 isoutamo 2021-03-11T15:25:59Z https://community.splunk.com/t5/Splunk-Search/Using-Regex-to-search-events-from-a-specific-ip-range/m-p/543406#M153927 <P>The <FONT face="courier new,courier">search</FONT> command, which is implied before the first pipe, does not support regular expressions.&nbsp; The best you can do is use a wildcard to grab a larger set of IP addresses and trim the set with later commands.</P><P>The listed requirements don't lend themselves to a clean regex string, but perhaps this will help.</P><LI-CODE lang="markup">index=n sourcetype=c message_text="you should not have done that" host="1.1.1.*" | eval lastOctet=mvindex(split(host,"."), 3) | where (lastOctet&gt;=23 AND lastOctet&lt;=51 AND NOT lastOctet IN (26,32,38,39,40,41,42,43,44))</LI-CODE> Thu, 11 Mar 2021 15:27:25 GMT https://community.splunk.com/t5/Splunk-Search/Using-Regex-to-search-events-from-a-specific-ip-range/m-p/543406#M153927 richgalloway 2021-03-11T15:27:25Z https://community.splunk.com/t5/Splunk-Search/Using-Regex-to-search-events-from-a-specific-ip-range/m-p/543412#M153928 <P>If you are filtering data only on host=1.1.1.* then you can filter it using logical operators in the base search only:</P><P>&nbsp;</P><LI-CODE lang="markup">index=n sourcetype=c message_text="you should not have done that" (host&gt;="1.1.1.23" AND host&lt;="1.1.1.51") NOT (host&gt;="1.1.1.38" AND host&lt;="1.1.1.44") host!="1.1.1.26" host!="1.1.1.32"</LI-CODE><P>&nbsp;</P><P>&nbsp;</P> Thu, 11 Mar 2021 15:38:42 GMT https://community.splunk.com/t5/Splunk-Search/Using-Regex-to-search-events-from-a-specific-ip-range/m-p/543412#M153928 manjunathmeti 2021-03-11T15:38:42Z