Re: Exclude CIDR range from search results

shiftey · ‎06-02-2015

Hi Splunk Answers,

I want to exclude IP addresses from certain networks in search results. The range is 10.52.0.0/24 - 10.52.40.0/24.

If I want to exclude using one range I would use

| where NOT cidrmatch("10.52.0.0/24")

How would I exclude multiple ranges?

landen99 · ‎04-18-2019

1) Create a lookup table of cidr blocks
2) Create a lookup definition with the CIDR advanced option for matching
3) Use the lookup command and NOT out_field=*

index=... | lookup my_def in_field OUTPUT out_field | search NOT out_field=*

ptate · ‎11-02-2018

What if I wanted to use a lookup table for this? I have a lookup table of just a list of CIDR blocks and I want to exclude them when searching.

morethanyell · ‎10-29-2019

Check this app I created.

on Bitbucket: https://bitbucket.org/intalock/incidr/src/master/
on Github : https://github.com/morethanyell/incidr

This is an app I created that accepts multiple cidr blocks

stephanefotso · ‎06-03-2015

Here you go:

  ... |where (NOT cidrmatch("10.52.0.0/24",ipfield) AND NOT cidrmatch("10.52.40.0/24",ipfield))|table ipfield

Thanks

SGF

Exclude CIDR range from search results

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk

Join the Conversation

Exclude CIDR range from search results

Unlock Database Monitoring with Splunk Observability Cloud

Purpose in Action: How Splunk Is Helping Power an Inclusive Future for All

[Upcoming Webinar] Demo Day: Transforming IT Operations with Splunk