Dear all, i wanna filter the specific ip range for one country, can search sytax use the notation of network mask like /24, for instance, the ip range from 110.77.0.0 to 110.77.127.255, i hope i can use 110.77.0/17 rather than 110.77.0.~110.77.127. as filter condition. Any other better suggestions?Thanks
Yes, you can, but only as a field value match, i.e., you can search for ipaddr=110.77.0.0/23
but not for just 110.77.0.0/23
.
Yes, you can, but only as a field value match, i.e., you can search for ipaddr=110.77.0.0/23
but not for just 110.77.0.0/23
.
@southeringtonp -- Thank you for posting the cross-reference. That second question is exactly what I needed.
You rock Gerald!
You can also use cidrmatch
in the eval command. If you are dealing with known (usually internal) subnets, you can also resolve them by name - see this thread: http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table