Getting Data In

Exclude CIDR range from search results


Hi Splunk Answers,

I want to exclude IP addresses from certain networks in search results. The range is -

If I want to exclude using one range I would use

| where NOT cidrmatch("")

How would I exclude multiple ranges?

Tags (3)
0 Karma


1) Create a lookup table of cidr blocks
2) Create a lookup definition with the CIDR advanced option for matching
3) Use the lookup command and NOT out_field=*

index=... | lookup my_def in_field OUTPUT out_field | search NOT out_field=*
0 Karma

New Member

What if I wanted to use a lookup table for this? I have a lookup table of just a list of CIDR blocks and I want to exclude them when searching.

0 Karma


Check this app I created.

on Bitbucket:
on Github :

This is an app I created that accepts multiple cidr blocks

0 Karma


Here you go:

  ... |where (NOT cidrmatch("",ipfield) AND NOT cidrmatch("",ipfield))|table ipfield


Don’t Miss Global Splunk
User Groups Week!

Free LIVE events worldwide 2/8-2/12
Connect, learn, and collect rad prizes
and swag!