Splunk Search

How to filter out IPs from being indexed?

mcbradford
Contributor

I am not good at regex, so I need help filtering some IPs from being indexed.

raw event looks like this:

192.168.184.25 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-"
192.168.184.26 - - [26/Jan/2018:10:46:06 -0500] "HEAD / HTTP/1.0" 302 0 "-" "avi/1.0" "-"

I also have data in the dataset coming from 23.99., so I want to exclude all data from the 23.99. range.

I was trying the following in transforms.conf on my Heavy Forwarder, but the events are still coming in. note - I just started with the 192.168.184.25

transforms.conf

[setnull]
REGEX = \,192\.168\.184\.25\,
DEST_KEY = queue
FORMAT = nullQueue

props.conf

[source::/var/log/nginx/access.log]
TRANSFORMS-null= setnull
0 Karma
1 Solution

mayurr98
Super Champion

try this

[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue

[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull

let me know if this helps!

View solution in original post

0 Karma

mayurr98
Super Champion

try this

[setnull]
REGEX = 192\.168\.184\.25
DEST_KEY = queue
FORMAT = nullQueue

[source::/var/log/nginx/access.log]
TRANSFORMS-null = setnull

let me know if this helps!

0 Karma

mcbradford
Contributor

This worked. If I wanted to exclude 192.168.184.25 and 192.168.184.26, could I do it with one statement?

I tired 192.168.184.* and this did not work.

0 Karma

mayurr98
Super Champion

Try this

192\.168\.184\.(25|26)
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...