Solved: How to filter out IPs from being indexed?

mcbradford · ‎01-26-2018

I am not good at regex, so I need help filtering some IPs from being indexed.

raw event looks like this:

192.168.184.25 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-" 192.168.184.26 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-"

I also have data in the dataset coming from 23.99., so I want to exclude all data from the 23.99. range.

I was trying the following in transforms.conf on my Heavy Forwarder, but the events are still coming in. note - I just started with the 192.168.184.25

transforms.conf

[setnull]
REGEX = \,192\.168\.184\.25\,
DEST_KEY = queue
FORMAT = nullQueue

props.conf

[source::/var/log/nginx/access.log]
TRANSFORMS-null= setnull

mayurr98 · ‎01-26-2018

try this

[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue

[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull

let me know if this helps!

View solution in original post

mayurr98 · ‎01-26-2018

try this

[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue

[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull

let me know if this helps!

mcbradford · ‎01-26-2018

This worked. If I wanted to exclude 192.168.184.25 and 192.168.184.26, could I do it with one statement?

I tired 192.168.184.* and this did not work.

mayurr98 · ‎01-26-2018

Try this

192\.168\.184\.(25|26)

How to filter out IPs from being indexed?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

[Puzzles] Solve, Learn, Repeat: Matching cron expressions

Design, Compete, Win: Submit Your Best Splunk Dashboards for a .conf26 Pass

May 2026 Splunk Expert Sessions: Security & Observability

Join the Conversation