Re: How to Exclude private IP range from transform...

neelamsantosh · ‎12-20-2020

I want to exclude the (dst="10.0.0.0/8" OR dst="172.16.0.0/12" OR dst="192.168.0.0/16") IP ranges.

my configurations:

props.conf:

TRANSFORMS-null = internal_Logs10, internal_Logs172, internal_Logs192

Transforms.conf:

[internal_Logs10]
REGEX = dst\=10\.0\.0\.0\/8
DEST_KEY = queue
FORMAT = nullQueue

[internal_Logs172]
REGEX = dst\=172\.16\.0\.0\/12
DEST_KEY = queue
FORMAT = nullQueue

[internal_Logs192]
REGEX = dst=192\.168\.0\.0\/16
#REGEX = dst=192\.168\.5.*
DEST_KEY = queue
FORMAT = nullQueue

it works perfectly for 192.168.5.* but not for subnet range.

kindly share or assist with configuration around the same.

neelamsantosh · ‎12-20-2020

its excluding all traffic/dst IP's
besides 10 its also considering 101 too in th eprivate ip address range

nickhills · ‎12-21-2020

I made a minor change to the answer above, but I can not reproduce the scenario you describe.

If my comment helps, please give it a thumbs up!

nickhills · ‎12-20-2020

Splunk will not perform CIDR matches against regular expressions.

You will need to construct your regex to match the range of addresses you need

(10\.)
(172\.1[6-9]\.)|(172\.2[0-9]\.)|(172\.3[0-1]\.)
(192\.168\.)

But you should be able to do this in one stanza if you wish

[internal_IPs]
REGEX = dst\=((?:10\.)|(?:172\.1[6-9]\.)|(?:172\.2[0-9]\.)|(?:172\.3[0-1]\.)|(?:192\.168\.)).+
DEST_KEY = queue
FORMAT = nullQueue

If my comment helps, please give it a thumbs up!

How to Exclude private IP range from transforms