Splunk Search

Could you advise me please, how to exclude IP subnet?

smokerman
New Member

Hello,
Could you advise me please, how to exclude IP subnet not using each of them NOT 141.8.142.220 etc.
As example, my request is:
source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200 NOT 141.8.142.193 NOT 141.8.142.166 NOT 141.8.142.160 NOT 141.8.142.220 root=test1 | top limit=400 useragent clientip

Are there any variants like 141.8.142.* or 141.8.142.0/255 or anything like this?

Thank you in adv!

Tags (1)
0 Karma

koshyk
Super Champion

Option1 ) do the base search and do an aggregation/evaluation to remove the IP range. Ensure you have it extracted to a field (say my_ip)

source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200| where NOT cidrmatch("141.8.142.0/255", my_ip)| top limit=400 useragent clientip

Option 2) Do a wildcard filter to remove them in base search. This is not purely an IP range, but more of a string exclusion

source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200 root=test1 NOT (141.8.142*) | top limit=400 useragent clientip
0 Karma

FrankVl
Ultra Champion

Probably safer to do 141.8.142.* (including the 3rd .) instead of 141.8.142* (no 3rd .), since the latter also matches 123.141.8.142.

0 Karma

smokerman
New Member

Thank you! That is exactly what I need. It helped to clear the log on the site https://world-weather.ru

0 Karma

koshyk
Super Champion

cool. please upvote and accept, if it helped you. cheers

0 Karma
Get Updates on the Splunk Community!

See just what you’ve been missing | Observability tracks at Splunk University

Looking to sharpen your observability skills so you can better understand how to collect and analyze data from ...

Weezer at .conf25? Say it ain’t so!

Hello Splunkers, The countdown to .conf25 is on-and we've just turned up the volume! We're thrilled to ...

How SC4S Makes Suricata Logs Ingestion Simple

Network security monitoring has become increasingly critical for organizations of all sizes. Splunk has ...