Could you advise me please, how to exclude IP subn...

smokerman · ‎05-25-2019

Hello,
Could you advise me please, how to exclude IP subnet not using each of them NOT 141.8.142.220 etc.
As example, my request is:
source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200 NOT 141.8.142.193 NOT 141.8.142.166 NOT 141.8.142.160 NOT 141.8.142.220 root=test1 | top limit=400 useragent clientip

Are there any variants like 141.8.142.* or 141.8.142.0/255 or anything like this?

Thank you in adv!

koshyk · ‎05-25-2019

Option1 ) do the base search and do an aggregation/evaluation to remove the IP range. Ensure you have it extracted to a field (say my_ip)

source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200| where NOT cidrmatch("141.8.142.0/255", my_ip)| top limit=400 useragent clientip

Option 2) Do a wildcard filter to remove them in base search. This is not purely an IP range, but more of a string exclusion

source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200 root=test1 NOT (141.8.142*) | top limit=400 useragent clientip

FrankVl · ‎05-27-2019

Probably safer to do 141.8.142.* (including the 3rd .) instead of 141.8.142* (no 3rd .), since the latter also matches 123.141.8.142.

smokerman · ‎05-27-2019

Thank you! That is exactly what I need. It helped to clear the log on the site https://world-weather.ru

koshyk · ‎05-27-2019

cool. please upvote and accept, if it helped you. cheers

Could you advise me please, how to exclude IP subnet?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?

Are you a member of the Splunk Community?

Could you advise me please, how to exclude IP subnet?

Tech Talk Recap | Mastering Threat Hunting

Observability for AI Applications: Troubleshooting Latency

Splunk AI Assistant for SPL vs. ChatGPT: Which One is Better?