I am trying to use an expression in the search string that will not display certain IP addresses. I have used the LIKE "172.%" to good use to display all IP addresses beginning with 172.x.
However, I would like to exclude the 172.x, 10.x and 192.168.X from being displayed.
I have been using a search string like the following:
source="/logtest" drop |stats count by srchost |where (srchost LIKE "10.%")| where count > 2 | sort by -count | head 10
Notice in the string above the (srchost LIKE"10.%")
Is there a way of creating something that will exclude 10.%? Something on the order of NOT LIKE?
If anyone has the answer I would appreciate it.
Thanks in Advance.
I would recommend use of the cidrmatch() eval function: http://www.splunk.com/base/Documentation/latest/SearchReference/CommonEvalFunctions
but in your case, what I'd really recommend is doing your search as:
source="/logtest" drop srchost!=10.0.0.0/24 | stats count by srchost | where count > 2 | sort by -count | head 10
Have you tried:
... | where NOT (srchost LIKE "10.%") | ...
No problem. I've been there too. 😉 Sometimes you just need another set of eyes.
I hang my head in shame....
I thought I had tried it, but when I followed your recommendation it worked.
I guess I got confused with all the things I tried.
Than you for the help.