Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Exclude Source IP and Destination IP from resu...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:03 AM
Hi There,
How do i Exclude Source IP and Destination IP from results if they belong to same private ip range? For e.g. in the results as shown below
| src_ip | dest_ip | count |
| 10.0.0.1 | 10.10.0.1 | 1 |
| 10.0.0.1 | 192.168.0.1 | 1 |
I need to exclude the first row in the statistics as they belong to same private ip range but want to keep the second row.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:54 AM
Well i tried this and it worked for me, thanks @ITWhisperer
.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
06-29-2021
07:29 AM
Can you please try this?
Here I have considered below IP ranges as private IP ranges.
Private IP addresses:
- 10.0.0.0 to 10.255.255.255
- 172.16.0.0 to 172.31.255.255
- 192.168.0.0 to 192.168.255.255
YOUR_SEARCH
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip dest_ip count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip dest_ip count
My Sample Search :
| makeresults | eval _raw="src_ip dest_ip count
10.0.0.1 10.10.0.1 1
10.0.0.1 192.168.0.1 1
10.0.0.1 10.10.0.1 1
10.0.0.1 10.10.0.1 1
172.16.0.0 172.31.255.255 1
192.168.0.0 192.168.255.255 1
10.0.0.1 10.10.0.1 1
" | multikv forceheader=1
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip dest_ip count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip dest_ip count
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:54 AM
Well i tried this and it worked for me, thanks @ITWhisperer
.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-29-2021
06:20 AM
Try something like:
| where NOT cidrmatch("10.0.0.0/8", src_ip) OR NOT cidrmatch("10.0.0.0/8", dest_ip)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:26 AM
No it doesn't work by this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-29-2021
06:28 AM
In what way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:46 AM
I am still getting the same private ip range in the same rows
Get Updates on the Splunk Community!
October Community Champions: A Shoutout to Our Contributors!
As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...
Community Content Calendar, November Edition
Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
What are Community Office Hours?
Community Office Hours is an interactive 60-minute Zoom series where ...
