Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Exclude Source IP and Destination IP from results ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:03 AM
Hi There,
How do i Exclude Source IP and Destination IP from results if they belong to same private ip range? For e.g. in the results as shown below
| src_ip | dest_ip | count |
| 10.0.0.1 | 10.10.0.1 | 1 |
| 10.0.0.1 | 192.168.0.1 | 1 |
I need to exclude the first row in the statistics as they belong to same private ip range but want to keep the second row.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:54 AM
Well i tried this and it worked for me, thanks @ITWhisperer
.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
kamlesh_vaghela
SplunkTrust
06-29-2021
07:29 AM
Can you please try this?
Here I have considered below IP ranges as private IP ranges.
Private IP addresses:
- 10.0.0.0 to 10.255.255.255
- 172.16.0.0 to 172.31.255.255
- 192.168.0.0 to 192.168.255.255
YOUR_SEARCH
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip dest_ip count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip dest_ip count
My Sample Search :
| makeresults | eval _raw="src_ip dest_ip count
10.0.0.1 10.10.0.1 1
10.0.0.1 192.168.0.1 1
10.0.0.1 10.10.0.1 1
10.0.0.1 10.10.0.1 1
172.16.0.0 172.31.255.255 1
192.168.0.0 192.168.255.255 1
10.0.0.1 10.10.0.1 1
" | multikv forceheader=1
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip dest_ip count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip dest_ip count
Thanks
KV
▄︻̷̿┻̿═━一
If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:54 AM
Well i tried this and it worked for me, thanks @ITWhisperer
.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-29-2021
06:20 AM
Try something like:
| where NOT cidrmatch("10.0.0.0/8", src_ip) OR NOT cidrmatch("10.0.0.0/8", dest_ip)- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:26 AM
No it doesn't work by this.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ITWhisperer
SplunkTrust
06-29-2021
06:28 AM
In what way?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sarwshai
Communicator
06-29-2021
06:46 AM
I am still getting the same private ip range in the same rows
Get Updates on the Splunk Community!
Dashboards: Hiding charts while search is being executed and other uses for tokens
There are a couple of features of SimpleXML / Classic dashboards that can be used to enhance the user ...
Splunk Observability Cloud's AI Assistant in Action Series: Explaining Metrics and ...
This is the fourth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how ...
Brains, Bytes, and Boston: Learn from the Best at .conf25
When you think of Boston, you might picture colonial charm, world-class universities, or even the crack of a ...
