Could you advise me please, how to exclude IP subn...

smokerman · ‎05-25-2019

Hello,
Could you advise me please, how to exclude IP subnet not using each of them NOT 141.8.142.220 etc.
As example, my request is:
source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200 NOT 141.8.142.193 NOT 141.8.142.166 NOT 141.8.142.160 NOT 141.8.142.220 root=test1 | top limit=400 useragent clientip

Are there any variants like 141.8.142.* or 141.8.142.0/255 or anything like this?

Thank you in adv!

koshyk · ‎05-25-2019

Option1 ) do the base search and do an aggregation/evaluation to remove the IP range. Ensure you have it extracted to a field (say my_ip)

source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200| where NOT cidrmatch("141.8.142.0/255", my_ip)| top limit=400 useragent clientip

Option 2) Do a wildcard filter to remove them in base search. This is not purely an IP range, but more of a string exclusion

source="test.access.log" host="test123" index="test" sourcetype="access_combined" status=200 root=test1 NOT (141.8.142*) | top limit=400 useragent clientip

FrankVl · ‎05-27-2019

Probably safer to do 141.8.142.* (including the 3rd .) instead of 141.8.142* (no 3rd .), since the latter also matches 123.141.8.142.

smokerman · ‎05-27-2019

Thank you! That is exactly what I need. It helped to clear the log on the site https://world-weather.ru

koshyk · ‎05-27-2019

cool. please upvote and accept, if it helped you. cheers

Could you advise me please, how to exclude IP subnet?

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life