Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to filter out IPs from being indexed?

mcbradford
Contributor
‎01-26-2018 07:59 AM

I am not good at regex, so I need help filtering some IPs from being indexed.

raw event looks like this:

192.168.184.25 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-"
192.168.184.26 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-"

I also have data in the dataset coming from 23.99., so I want to exclude all data from the 23.99. range.

I was trying the following in transforms.conf on my Heavy Forwarder, but the events are still coming in. note - I just started with the 192.168.184.25

transforms.conf

[setnull]
REGEX = \,192\.168\.184\.25\,
DEST_KEY = queue
FORMAT = nullQueue

props.conf

[source::/var/log/nginx/access.log]
TRANSFORMS-null= setnull
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-26-2018 08:42 AM

try this

[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue

[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull

let me know if this helps!

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

mayurr98
Super Champion
‎01-26-2018 08:42 AM

try this

[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue

[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull

let me know if this helps!

0 Karma
Reply
Solved! Jump to solution

mcbradford
Contributor
‎01-26-2018 01:01 PM

This worked. If I wanted to exclude 192.168.184.25 and 192.168.184.26, could I do it with one statement?

I tired 192.168.184.* and this did not work.

0 Karma
Reply
Solved! Jump to solution

mayurr98
Super Champion
‎01-26-2018 06:53 PM

Try this 

192\.168\.184\.(25|26)
0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey
Register for .conf25!
Get Updates on the Splunk Community!

.conf25 Global Broadcast: Don’t Miss a Moment

Hello Splunkers, .conf25 is only a click away.  Not able to make it to .conf25 in person? No worries, you can ...

Observe and Secure All Apps with Splunk

 Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What's New in Splunk Observability - August 2025

What's New We are excited to announce the latest enhancements to Splunk Observability Cloud as well as what is ...