If I want to search for a range of addresses, say anything in 10.0.1.0/24 from anywhere in the log, how do you do that? I can't find anything that works.
You can frame the search with wild cards. Example: src_ip=10.1.2.[wcrd] for a /24 CIDR range or src_ip=10.7.[wcrd].[wcrd] for a /16 CIDR range, etc.
[wcrd] = *
(I was having trouble getting the * to show when using more than 1 in the IP addresses.)
If the IP ranges are consecutive you can use an online CIDR calculator to get the CIDR notation to use. Example: to search where src_ip is between 127.0.120.0 and 127.0.122.0, use src_ip=127.0.120.0/23
You can't do CIDR defined search on freetext. You can however do it if you have the IP addresses you want to match against in extracted fields. In other words,
10.0.0.0/24
won't work, but
src_ip=10.0.0.0/24
will.