Excellent, your where cidrmatch solution works. Oddly enough
sslvpn* "Session started"
| dedup _raw
| rex field=_raw "\[(?<ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\]\ (?<netid>.*)\("
| where ip != "10.*"
evaluates correctly but doesn't appropriately filter but
sslvpn* "Session started"
| dedup _raw
| rex field=_raw "\[(?<ip>\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\b)\]\ (?<netid>.*)\("
| where ip != 10.*
is malformed with error:
Error in 'where' command: The expression is malformed. The factor is missing.
ip has a string as a type, so I'm not sure why the two options above fail, but your approach works. Thanks again!
... View more