Hi There,
How do i Exclude Source IP and Destination IP from results if they belong to same private ip range? For e.g. in the results as shown below
src_ip | dest_ip | count |
10.0.0.1 | 10.10.0.1 | 1 |
10.0.0.1 | 192.168.0.1 | 1 |
I need to exclude the first row in the statistics as they belong to same private ip range but want to keep the second row.
Well i tried this and it worked for me, thanks @ITWhisperer
.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr
Can you please try this?
Here I have considered below IP ranges as private IP ranges.
Private IP addresses:
YOUR_SEARCH
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip dest_ip count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip dest_ip count
My Sample Search :
| makeresults | eval _raw="src_ip dest_ip count
10.0.0.1 10.10.0.1 1
10.0.0.1 192.168.0.1 1
10.0.0.1 10.10.0.1 1
10.0.0.1 10.10.0.1 1
172.16.0.0 172.31.255.255 1
192.168.0.0 192.168.255.255 1
10.0.0.1 10.10.0.1 1
" | multikv forceheader=1
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip dest_ip count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip dest_ip count
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
Well i tried this and it worked for me, thanks @ITWhisperer
.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr
Try something like:
| where NOT cidrmatch("10.0.0.0/8", src_ip) OR NOT cidrmatch("10.0.0.0/8", dest_ip)
No it doesn't work by this.
In what way?
I am still getting the same private ip range in the same rows