Hi Splunk Answers,
I want to exclude IP addresses from certain networks in search results. The range is 10.52.0.0/24 - 10.52.40.0/24.
If I want to exclude using one range I would use
| where NOT cidrmatch("10.52.0.0/24")
How would I exclude multiple ranges?
1) Create a lookup table of cidr blocks
2) Create a lookup definition with the CIDR advanced option for matching
3) Use the lookup command and NOT out_field=*
index=... | lookup my_def in_field OUTPUT out_field | search NOT out_field=*
What if I wanted to use a lookup table for this? I have a lookup table of just a list of CIDR blocks and I want to exclude them when searching.
Check this app I created.
on Bitbucket: https://bitbucket.org/intalock/incidr/src/master/
on Github : https://github.com/morethanyell/incidr
This is an app I created that accepts multiple cidr blocks
Here you go:
... |where (NOT cidrmatch("10.52.0.0/24",ipfield) AND NOT cidrmatch("10.52.40.0/24",ipfield))|table ipfield