Filters events using CIDR subnets. Used for both IPv4 and IPv6 addresses.
Parameter | Type | Required | Default Value | Description |
---|---|---|---|---|
column | string | optional[a] | When file and column parameters are used together, it loads the subnet list from the given .csv . | |
field [b] | string | required | Specifies the field that the CIDR expression runs against. | |
file | string | optional[a] | When file and column parameters are used together, it loads the subnet list from the given .csv . | |
negate (deprecated) | boolean | optional[a] | false | This parameter is deprecated. Use the !cidr(...) negation instead to allow only addresses that are not in the given subnet to pass through (see cidr() Examples) or to allow events without the assigned field to pass through. (deprecated in 1.100.0) |
subnet | Array of strings | optional[a] | Specifies the list of IP ranges the CIDR expression matches with. | |
[a] Optional parameters use their default value unless explicitly set. |
Hide omitted argument names for this function
Omitted Argument NamesThe argument name for
field
can be omitted; the following forms of this function are equivalent:logscalecidr("field")
and:
logscalecidr(field="field")
These examples show basic structure only.
Hide negatable operation for this function
Negatable Function OperationThis function is negatable, implying the inverse of the result. For example:
logscale!cidr()
Or:
logscalenot cidr()
For more information, see Negating the Result of Filter Functions.
cidr()
Examples
Matches events for which the ipAddress attributes is in the IP range 192.0.2.0/24:
cidr(ipAddress, subnet="192.0.2.0/24")
Matches events for which the ipAddress attributes is not in the IP range 192.0.2.0/24:
!cidr(ipAddress, subnet="192.0.2.0/24")
Matches events for which the ipAddress attributes is in the ip range 192.0.2.0/24 or 203.0.113.0/24:
cidr(ipAddress, subnet=["192.0.2.0/24", "203.0.113.0/24"])
Matches events for which the SRC attributes is one
of those listed in the uploaded file cidrfile.csv
with the subnets in the column cidr-block:
cidr(field=SRC, file="cidrfile.csv", column="cidr-block")
Check if a field contains valid IP addresses, both IPv4 and IPv6:
case {
cidr("address", subnet=["0.0.0.0/0", "::/0"])
| ip := address;
*
}
It can also be used to check if a field contains a valid IPv4 address alone:
cidr("address", subnet="0.0.0.0/0")
or a valid IPv6 address:
cidr("address", subnet="::/0")