Splunk Search

Splunk 8 - TSTATS WHERE IN () does not work with CIDR

samsonusmc
New Member

Providing Splunk 8 the following:

| tstats allow_old_summaries=t count from datamodel=Network_Traffic.All_Traffic where (nodename = All_Traffic.Traffic_By_Action.Allowed_Traffic) (All_Traffic.src_zone="INET") (All_Traffic.dest_ip=172.20.17.119) NOT All_Traffic.src_ip IN (40.96.0.0/13, 40.104.0.0/15, 52.96.0.0/14)by All_Traffic.src_ip, All_Traffic.action | sort - count

It doesn't filter out the subnets we asked to exclude... BUT it works on 7.3

Tags (2)
0 Karma

samsonusmc
New Member

Nevermind.. Known issue
https://docs.splunk.com/Documentation/Splunk/8.0.0/ReleaseNotes/KnownIssues

2019-11-11 SPL-179357, SPL-179700 Negated subnet CIDR filter doesn't work in search.

Workaround:
Workaround:
limits.conf: [search] use_search_evaluator_v2=false

Examples searches that don't filter out values: index=_internal (NOT clientip=127.0.0.0/8) | stats count BY clientip

index=_internal (clientip!=127.0.0.0/8) | stats count BY clientip

index=_internal | stats count BY clientip | search (clientip!=127.0.0.0/8) | stats sum(count) BY clientip | noop search_optimization=false

Filtering with | where is OK: index=_internal | where NOT cidrmatch("127.0.0.0/8", clientip) | stats count BY clientip

0 Karma
Get Updates on the Splunk Community!

Routing Data to Different Splunk Indexes in the OpenTelemetry Collector

This blog post is part of an ongoing series on OpenTelemetry. The OpenTelemetry project is the second largest ...

Getting Started with AIOps: Event Correlation Basics and Alert Storm Detection in ...

Getting Started with AIOps:Event Correlation Basics and Alert Storm Detection in Splunk IT Service ...

Register to Attend BSides SPL 2022 - It's all Happening October 18!

Join like-minded individuals for technical sessions on everything Splunk!  This is a community-led and run ...