Hello Everyone,
I want to block multiple IP address I got my using IP!=xxx.xx.xx.xx OR IP!=yyy.yy.yy.yy
Is there any way to block all using single NOT command or any other like example IP NOT IN (xxx.xx.xx.xx OR yyy.yy.yy.yy)
Thanks in advance!
VK
Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.
Bye.
Giuseppe
For small list, you can use following subsearch method. Provide space separated list of IP in the subsearch eval command.
index=foo sourcetype=bar [| gentimes start=-1 | eval IP="xxx.xx.xx.xx yyy.yy.yy.yy zzz.zz.zz.zz" | table IP | makemv IP ] ..| rest of the search
Well, you can do something similar to what you wrote:
... NOT (IP=X OR IP=Y)
Splunk also understands CIDR notation in many cases, so if they're all 192.168.3.0/24 addresses, you can do that:
... NOT (IP=192.168.0.0/24)
Or you could put them in a lookup and remove them using a subsearch:
... NOT [ | inputlookup <your lookup> ]
That last will take a bit of work to get going, but may ultimately be the better way to manage this if it's a sizeable list. See perhaps this discussion. There are lots more where that came from and if you want to go down that route ask!
Happy Splunking!
-Rich
Hi vittal_kumar,
you could use eval commands with match or like, but it's slow!
the best way is to insert all your IPs in a lookup or tag them in an eventtype.
Bye.
Giuseppe