I want to exclude the (dst="10.0.0.0/8" OR dst="172.16.0.0/12" OR dst="192.168.0.0/16") IP ranges.
my configurations:
props.conf:
TRANSFORMS-null = internal_Logs10, internal_Logs172, internal_Logs192
Transforms.conf:
[internal_Logs10]
REGEX = dst\=10\.0\.0\.0\/8
DEST_KEY = queue
FORMAT = nullQueue
[internal_Logs172]
REGEX = dst\=172\.16\.0\.0\/12
DEST_KEY = queue
FORMAT = nullQueue
[internal_Logs192]
REGEX = dst=192\.168\.0\.0\/16
#REGEX = dst=192\.168\.5.*
DEST_KEY = queue
FORMAT = nullQueue
it works perfectly for 192.168.5.* but not for subnet range.
kindly share or assist with configuration around the same.
its excluding all traffic/dst IP's
besides 10 its also considering 101 too in th eprivate ip address range
I made a minor change to the answer above, but I can not reproduce the scenario you describe.
https://regex101.com/r/FXD0Q4/2
Splunk will not perform CIDR matches against regular expressions.
You will need to construct your regex to match the range of addresses you need
(10\.)
(172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.)
(192\.168\.)
But you should be able to do this in one stanza if you wish
[internal_IPs]
REGEX = dst\=((?:10\.)|(?:172\.1[6-9]\.)|(?:172\.2[0-9]\.)|(?:172\.3[0-1]\.)|(?:192\.168\.)).+
DEST_KEY = queue
FORMAT = nullQueue