https://community.splunk.com/t5/Splunk-Search/Searching-subnets/m-p/45464#M179303 <P>That <EM>should</EM> work. What you could try is specify <CODE>NOT dest_ip=10.10.0.0/16</CODE> instead, but that's rather for covering the case when no dest_ip exists at all.</P> Fri, 06 Jan 2012 19:05:06 GMT Ayn 2012-01-06T19:05:06Z https://community.splunk.com/t5/Splunk-Search/Searching-subnets/m-p/45463#M179302 <P>I noticed with splunk you can search subnets now. However I would like to search for all communications via my internal network to my external network. When doing something like this however it does not work. </P> <P>src_ip=10.10.0.0/16 dest_ip!=10.10.0.0/16</P> <P>This does not work. How would I correctly search for what I am seeking?</P> Mon, 28 Sep 2020 10:17:02 GMT https://community.splunk.com/t5/Splunk-Search/Searching-subnets/m-p/45463#M179302 bengridley 2020-09-28T10:17:02Z https://community.splunk.com/t5/Splunk-Search/Searching-subnets/m-p/45464#M179303 <P>That <EM>should</EM> work. What you could try is specify <CODE>NOT dest_ip=10.10.0.0/16</CODE> instead, but that's rather for covering the case when no dest_ip exists at all.</P> Fri, 06 Jan 2012 19:05:06 GMT https://community.splunk.com/t5/Splunk-Search/Searching-subnets/m-p/45464#M179303 Ayn 2012-01-06T19:05:06Z https://community.splunk.com/t5/Splunk-Search/Searching-subnets/m-p/45465#M179304 <P>Perhaps make use of the cidrmatch function: <CODE>* | where NOT cidrmatch("10.10.0.0/16", dest_ip) AND cidrmatch("10.10.0.0/16",src_ip)</CODE></P> Fri, 06 Jan 2012 21:05:43 GMT https://community.splunk.com/t5/Splunk-Search/Searching-subnets/m-p/45465#M179304 rtadams89 2012-01-06T21:05:43Z