I have this query in Splunk which gets me the src_ip along with different fields for the particular UserId. But i want to exclude the logs having src_ip starting with either 10 or 172 . Could someone please help
index=wineventlog $UserId sourcetype="WinEvt:ADFS" EventCode=120* | rex "IpAddress\W(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | rex "Activity\sID\W(?<Activity_ID>\s.*)" | table src_ip, Activity_ID, _time, UserAgent | sort _time | reverse
index=wineventlog $UserId sourcetype="WinEvt:ADFS" EventCode=120*
| rex "IpAddress\W(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| regex src_ip!="^10\.|^172\."
| rex "Activity\sID\W(?<Activity_ID>\s.*)"
| table src_ip, Activity_ID, _time, UserAgent
| sort 0 - _time
index=wineventlog $UserId sourcetype="WinEvt:ADFS" EventCode=120*
| rex "IpAddress\W(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})"
| regex src_ip!="^10\.|^172\."
| rex "Activity\sID\W(?<Activity_ID>\s.*)"
| table src_ip, Activity_ID, _time, UserAgent
| sort 0 - _time