I am building a search query and trying to find the correct syntax to exclude specific combinations of source and destination IP addresses. For instance, in the search results I want to exclude results only between specific source and destination IPs. So if there is a lot of traffic happening between 192.168.1.5 and 192.168.1.20 I want to only exclude traffic between those two IPs, but still see traffic between 192.168.1.5 and other IPs.
cidrmatch is what your looking for
| eval IP_Range = if(cidrmatch("192.168.1.5/25",ip), "local", "not local"))
http://docs.splunk.com/Documentation/Splunk/7.0.2/SearchReference/ConditionalFunctions
@johann2017 did this work for you?
Hello Skoelpin. I don't think cidrmatch is what I need?
Hey
Imagine you want to exclude some combinations you have in a lookup, you could use:
yoursearch | NOT ( [ | inputlookup ipscombination | return 1000 source ,dest | rex field="search" mode=sed "s/OR/AND/g" ]
That would exclude the combinations of source/dest you have in a lookup.
Hey Tiago - where exactly in the query do I place the IP addresses? Does this work for only 2 IPs? Will it work for more than 2?