Hi,
Need some help with getting a correct Regex for CIDR exclusion.
*(This is an example. Not the real IP range. )
Trying to exclude events that have ips in the 79.40.96.0/22 range.
Following is the Regex that I was able to create using https://regex101.com/. It does match when I test with IPs from the range, in https://regex101.com. However it doesn't seem to work when I test it against events in Splunk.
And the regex used is:
^79\.40\.(96\.([1-9]|[1-9]\d|[12]\d\d)|99\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-4])|9[78]\.([1-9]?\d|[12]\d\d))$
(Looked like it didn't get pasted correctly when I posted initially.)
Sample event would start with the ip.
79.40.96.12 .......
Thanks,
AKN
| makeresults
| eval ip=split("79.40.96.#79.40.97.#79.40.98.#79.40.99.","#")
| stats count by ip
| eval subnet=mvrange(0,255)
| stats values(ip) as ip by subnet
| mvexpand ip
| eval ip=ip.subnet
| eval check=if(match(ip,"79\.40\.9[6-9]\.[1-9]?[0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5]"),"OK","false")
79.40.96.0/22
is the range 79.40.96.0 ~ 79.40.99.255
the regex is match()
args.
@aknsun ,
Can you please remove the $ from the end of your regex and try. your regex should looks like below,
^79\.40\.(96\.([1-9]|[1-9]\d|[12]\d\d)|99\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-4])|9[78]\.([1-9]?\d|[12]\d\d))
Sid
Hi @techiesid . It didn't work.
Sample event has a comma immediatley after the IP.
79.40.96.12, ........
I got this working. Just had to replace the "$" with a ".*" at the end of the REGEX.
^79\.40\.(96\.([1-9]|[1-9]\d|[12]\d\d)|99\.([1-9]?\d|1\d\d|2[0-4]\d|25[0-4])|9[78]\.([1-9]?\d|[12]\d\d)).*
@aknsun
Have you tried cidrmatch
function for exclusion ?
... |where NOT cidrmatch("79.40.96.0/22",ipfield)
Hi @kamlesh_vaghela I'm trying to get this done in props/transforms as I don't want it ingested into Splunk.
Thanks,
AKN
@aknsun
Can you please share some sample events?