Getting Data In

Exclude CIDR range from search results

Path Finder

Hi Splunk Answers,

I want to exclude IP addresses from certain networks in search results. The range is -

If I want to exclude using one range I would use

| where NOT cidrmatch("")

How would I exclude multiple ranges?

Tags (3)
0 Karma


1) Create a lookup table of cidr blocks
2) Create a lookup definition with the CIDR advanced option for matching
3) Use the lookup command and NOT out_field=*

index=... | lookup my_def in_field OUTPUT out_field | search NOT out_field=*
0 Karma

New Member

What if I wanted to use a lookup table for this? I have a lookup table of just a list of CIDR blocks and I want to exclude them when searching.

0 Karma


Check this app I created.

on Bitbucket:
on Github :

This is an app I created that accepts multiple cidr blocks

0 Karma


Here you go:

  ... |where (NOT cidrmatch("",ipfield) AND NOT cidrmatch("",ipfield))|table ipfield


Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...