You can also use the regex command to pipe a field through a regular expression.
For example:
index=bro sourcetype=bro_conn
| regex dest_ip="/(^127.)|(^192.168.)|(^10.)|(^172.1[6-9].)|(^172.2[0-9].)|(^172.3[0-1].)|(^::1$)|(^[fF][cCdD])/"
... View more