Where would you recommend excluding this traffic? At the dashboard level or the data model level?

I believe it should be a constraint in the data model, but it doesn't seem to work as expected.

If at the dashboard level, where should NOT cidrmatch("192.168.0.0/16",src) go?

| tstats summariesonly values(Authentication.app) as app, latest(Authentication.user_bunit) as user_bunit from datamodel=Authentication.Authentication where * by Authentication.user,Authentication.src _time span=1s
| drop_dm_object_name("Authentication")
| eventstats dc(src) as src_count by user
| search src_count>1
| sort 0 + _time
| get_asset(src)
| iplocation src
| eval session_city=if(isnull(src_city), City, src_city)
| eval session_country=if(isnull(src_country), Country, src_country)
| eval session_lat=if(isnull(src_lat), lat, src_lat)
| eval session_lon=if(isnull(src_long), lon, src_long)
| where isnotnull(session_lat) and isnotnull(session_lon)
| streamstats current=t window=2 earliest(session_lat) as prev_lat, earliest(session_lon) as prev_lon, earliest(_time) as prev_time, earliest(src) as prev_src, earliest(session_city) as prev_city, earliest(session_country) as prev_country, earliest(app) as prev_app, latest(user_bunit) as user_bunit by user
| where (src!=prev_src)
| globedistance(session_lat,session_lon,prev_lat,prev_lon,"m")
| eval time_diff=if((_time-prev_time)==0, 1, _time - prev_time)
| eval speed = round(distance*3600/time_diff,2)
| where speed>500 | uitime(prev_time)
| table user, user_bunit, src, _time, session_city, session_country, app, prev_src, prev_time, prev_city, prev_country, prev_app, distance, speed

If at the data model level, where should NOT (action=success user=$ src=192.168..*) go?

My Authentication data model looks like:

Successful Authentication
Successful_Authentication

CONSTRAINTS

(cim_Authentication_indexes) tag=authentication NOT (action=success user=$) *Inherited
action="success" Constraint

Any guidance is appreciated, support hasn't been any help.