1) Create a lookup table of cidr blocks
2) Create a lookup definition with the CIDR advanced option for matching
3) Use the lookup command and NOT out_field=*
index=... | lookup my_def in_field OUTPUT out_field | search NOT out_field=*
What if I wanted to use a lookup table for this? I have a lookup table of just a list of CIDR blocks and I want to exclude them when searching.
Check this app I created.
on Bitbucket: https://bitbucket.org/intalock/incidr/src/master/
on Github : https://github.com/morethanyell/incidr
This is an app I created that accepts multiple cidr blocks
Here you go:
... |where (NOT cidrmatch("10.52.0.0/24",ipfield) AND NOT cidrmatch("10.52.40.0/24",ipfield))|table ipfield
Thanks