Solved: How to exclude CIDR range from Splunk Enterprise S...

saidshow · ‎12-29-2019

We have a number of alerts in Splunk ES that are triggered by our external scanner. We want to be able to exclude our own external scanner from these alerts in Splunk ES. I have the CIDR range for our scanner however my training for Splunk ES is not until March. I would like to make a move on excluding the scanner from these alerts and looking at more meaningful alerts.

Thank you.

to4kawa · ‎12-30-2019

index=_internal
| search NOT 127.0.0.0/8

Hi, @saidshow
This query is the sample of exclude CIDR.

your_search
|search NOT your_ip_and_prefix

How about this?

View solution in original post

lkutch_splunk · ‎01-02-2020

Which version of ES? Maybe you could use MLTK. There's an example of filtering out the CIDR range of test servers by using .src!=10.11.36.0/24: https://docs.splunk.com/Documentation/ES/6.0.0/Admin/MLTKoverview#Finding_outliers_with_DensityFunct...

saidshow · ‎01-02-2020

Mate, that is terrific. I will see if I can get this working on Monday. Thank you for taking the time to assist. It is appreciated.

to4kawa · ‎12-30-2019

index=_internal
| search NOT 127.0.0.0/8

Hi, @saidshow
This query is the sample of exclude CIDR.

your_search
|search NOT your_ip_and_prefix

How about this?

saidshow · ‎01-02-2020

I tried it and it worked just fine - it was actually so simple I overlooked it. This works both as:

my_search NOT field=value

and as

my_search
| search NOT field=value

I prefer the second as it is clearer in the search. Thank you again. Very simple.

to4kawa · ‎01-02-2020

The second is slower, so the first is fine. Happy splunking.

saidshow · ‎01-02-2020

Thank you, this looks very simple. I will give this a try in a moment.

How to exclude CIDR range from Splunk Enterprise Security alert

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

New in Observability Cloud - Explicit Bucket Histograms