Solved: specific ip remove sql questio

nnonm111 · ‎04-12-2021

index = "fw"src_ip = "192.168.10. *"
| rex "192 \ .168 \ .10 \. (? <범위> \ d {1,3})"
| 여기서 범위> = 11 AND 범위 <= 126
| 중복 제거 src_ip
| stats count

나는 위의 명령에서 ip를 얻고 있습니다.
192.168.10.16, 192.168.10.21, 192.168.10.26, 192.168.10.31 ~ 192.168.10.126의 네 가지 IP를 살펴보고 싶습니다. 방법이 있습니까?

scelikok · ‎04-13-2021

To use as a filter , you can use in a subsearch;

index="fw" src_ip="192.168.10.*" 
| dedup src_ip 
| search 
    [| makeresults count=24 
    | streamstats count 
    | eval count=count+1 
    | eval count=count*5+1 
    | eval src_ip="192.168.10.".count 
    | stats values(src_ip) as src_ip ]

If this reply helps you an upvote and "Accept as Solution" is appreciated.

View solution in original post

scelikok · ‎04-13-2021

To use as a filter , you can use in a subsearch;

index="fw" src_ip="192.168.10.*" 
| dedup src_ip 
| search 
    [| makeresults count=24 
    | streamstats count 
    | eval count=count+1 
    | eval count=count*5+1 
    | eval src_ip="192.168.10.".count 
    | stats values(src_ip) as src_ip ]

If this reply helps you an upvote and "Accept as Solution" is appreciated.

scelikok · ‎04-13-2021

Hi @nnonm111,

You can use below to create similar output to your pyhton code.

| makeresults count=24 
| streamstats count 
| eval count=count+1 
| eval count=count*5+1 
| eval src_ip="192.168.10.".count 
| stats values(src_ip) as src_ip 
| nomv src_ip

If this reply helps you an upvote and "Accept as Solution" is appreciated.

nnonm111 · ‎04-13-2021

index="fw" src_ip="192.168.10.*"
| rex "192\.168\.10\.(?<range>\d{1,3})"
| where range >=11 AND range <=126
| dedup src_ip
| makeresults count=24
| streamstats count
| eval count=count+1
| eval count=count*5+1
| eval src_ip="192.168.10.".count
| stats values(src_ip) as src_ip
| nomv src_ip

You'll get that error.

Error in 'makeresults' command: This command must be the first command of a search.

scelikok · ‎04-12-2021

You can use regex to filter those ip addresses, please try below;

| regex src_ip!="192\.168\.10\.1[2-5]"

If this reply helps you an upvote and "Accept as Solution" is appreciated.

nnonm111 · ‎04-12-2021

The sql does not fit.

index=fw
filed=src_ip

python code
a = '192.168.11.'

for i in range(11,127,5):
ip = str(a)+str(i)
print(ip)

Can the pyhton be expressed in sql?

scelikok · ‎04-12-2021

Hi @nnonm111,

You question is not clear, could you please tell us what do you want to do with that four ip? (The list has actually five ips)

If this reply helps you an upvote and "Accept as Solution" is appreciated.

nnonm111 · ‎04-12-2021

After 192.168.10.11 we would like to exclude 4 ip(192.168.10.12,13,14,15) by 192.168.10.126.

Output value:
192.168.10.11
192.168.10.16
192.168.10.21
.
.
.
192.168.10.126

specific ip remove sql questio

chart

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience

Join the Conversation

specific ip remove sql questio

chart

Splunk MCP & Agentic AI: Machine Data Without Limits

Finding Based Detections General Availability

Get Your Hands Dirty (and Your Shoes Comfy): The Splunk Experience