Hello there!
We´re trying to plan the best way to search multiple IP ranges that possibly can going through squid to Internet.
Nowadays in our enviroment we have specific IP range that can´t have access to internet. Therefore we decided to monitor this IP range creating specific alert.
I have researched in splunk answers and then I made the regex bellow but it didn´t work as I expected. The IP range that I want to take is 10.(1-200).(80-199).(231-254)
process="squid" httpstatus=200 | rex field=clientaddress "10.(?\d+).(?\d+).(?\d+)" | search (secoctect <200) N (79 > thiroctect <200) AND (four_octect >230)
Does anybody know what should I do? Any help I will appreciate it.
Thanks
... View more