Solved: How to search IP with wildcard?

mveca · ‎05-31-2019

I want to exclude both primary and secondary IP addresses from a search.

For example:

src_ip!=192.50.244.10 AND src_ip!=192.50.245.10

Can I combine the two by just using a wildcard in just one octet?

For example, something like:

src_ip!=192.50.24*.10

DavidHourani · ‎05-31-2019

Hi @mveca,

You could use a wildcard but that will match more than what you require since that also includes : 192.50.241.10,192.50.242.10 and others that you might want to keep.

If you really want to use a regex you could try something like what is shown here :
https://answers.splunk.com/answers/97697/exclude-regex-results-from-a-search.html

Your search would look like this :

yourbasesearch | regex src_ip!="192.50.24[4,5].10"

Let me know if that helps.

Cheers,
David

View solution in original post

VatsalJagani · ‎06-03-2019

@mveca - Yes you can do src_ip!=192.50.24*.10.

DavidHourani · ‎06-04-2019

this excludes 192.50.240.10,192.50.241.10....192.50.249.10 not just the primary IPs.

VatsalJagani · ‎06-04-2019

I think that's what @mveca wants, "not condition with wildcard".

DavidHourani · ‎05-31-2019

Hi @mveca,

You could use a wildcard but that will match more than what you require since that also includes : 192.50.241.10,192.50.242.10 and others that you might want to keep.

If you really want to use a regex you could try something like what is shown here :
https://answers.splunk.com/answers/97697/exclude-regex-results-from-a-search.html

Your search would look like this :

yourbasesearch | regex src_ip!="192.50.24[4,5].10"

Let me know if that helps.

Cheers,
David

How to search IP with wildcard?

Announcing Scheduled Export GA for Dashboard Studio

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!