Hello,
Could you advise me please, how to exclude IP subnet not using each of them NOT 141.8.142.220 etc.
As example, my request is:
source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200 NOT 141.8.142.193 NOT 141.8.142.166 NOT 141.8.142.160 NOT 141.8.142.220 root=test1 | top limit=400 useragent clientip
Are there any variants like 141.8.142.* or 141.8.142.0/255 or anything like this?
Thank you in adv!
Option1 ) do the base search and do an aggregation/evaluation to remove the IP range. Ensure you have it extracted to a field (say my_ip)
source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200| where NOT cidrmatch("141.8.142.0/255", my_ip)| top limit=400 useragent clientip
Option 2) Do a wildcard filter to remove them in base search. This is not purely an IP range, but more of a string exclusion
source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200 root=test1 NOT (141.8.142*) | top limit=400 useragent clientip
Probably safer to do 141.8.142.*
(including the 3rd .) instead of 141.8.142*
(no 3rd .), since the latter also matches 123.141.8.142
.
Thank you! That is exactly what I need. It helped to clear the log on the site https://world-weather.ru
cool. please upvote and accept, if it helped you. cheers