Splunk Search

How To filter internal IP address in splunk search

nnimbe
Path Finder

Hi All,

I want to filter out internal IP range while searching, can please suggest some of the best search commands,

and wanted to know how to use "not between command" like not between 172.16 to 172.31 while filtering

Tags (2)

nickhills
Ultra Champion

I'm not aware of a "between" (and thus a negated version) command per se, however for numbers you can use < >.

The problem with the example you have used is that "192.16" is a string (or at best a decimal) so you can't really use the concept of "between" in the context of an IP address
If you are searching a "well formed" address like 192.16.0.0 you can use < >, but I cant think of an example where that is better or more flexible than CIDR.

your search NOT (src_ip>172.16.0.0 AND src_ip<172.31.254.254)
If my comment helps, please give it a thumbs up!
0 Karma

nickhills
Ultra Champion

ah, thought of an example: if you wanted to look for hosts with a specific host address, but a varying subnet - eg: 192.168.[16-31].25
In this case you could use rex to filter the hosts you were interested in or perhaps a custom search command

If my comment helps, please give it a thumbs up!
0 Karma

nnimbe
Path Finder

thanks but I just wanted to know specifically how to use not between command for ranges.....

0 Karma

DalJeanis
SplunkTrust
SplunkTrust

I don't believe there is such an operator as "between" in splunk, let alone NOT between.

0 Karma

nickhills
Ultra Champion

If your ip addresses are extracted or contained in a field, your can use CIDR notation:

your search NOT src_ip=172.16.0.0/12

will exclude IPs from 172.16-31.x.x

If my comment helps, please give it a thumbs up!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...