Re: How To filter internal IP address in splunk se...

nnimbe · ‎02-22-2017

Hi All,

I want to filter out internal IP range while searching, can please suggest some of the best search commands,

and wanted to know how to use "not between command" like not between 172.16 to 172.31 while filtering

nickhills · ‎02-23-2017

I'm not aware of a "between" (and thus a negated version) command per se, however for numbers you can use < >.

The problem with the example you have used is that "192.16" is a string (or at best a decimal) so you can't really use the concept of "between" in the context of an IP address
If you are searching a "well formed" address like 192.16.0.0 you can use < >, but I cant think of an example where that is better or more flexible than CIDR.

your search NOT (src_ip>172.16.0.0 AND src_ip<172.31.254.254)

If my comment helps, please give it a thumbs up!

nickhills · ‎02-23-2017

ah, thought of an example: if you wanted to look for hosts with a specific host address, but a varying subnet - eg: 192.168.[16-31].25
In this case you could use rex to filter the hosts you were interested in or perhaps a custom search command

If my comment helps, please give it a thumbs up!

nnimbe · ‎02-22-2017

thanks but I just wanted to know specifically how to use not between command for ranges.....

DalJeanis · ‎02-23-2017

I don't believe there is such an operator as "between" in splunk, let alone NOT between.

nickhills · ‎02-22-2017

If your ip addresses are extracted or contained in a field, your can use CIDR notation:

your search NOT src_ip=172.16.0.0/12

will exclude IPs from 172.16-31.x.x

If my comment helps, please give it a thumbs up!

How To filter internal IP address in splunk search

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

Splunk APM: New Product Features + Community Office Hours Recap!

Index This | Forward, I’m heavy; backward, I’m not. What am I?