Filters events using CIDR subnets.
Function Traits: Filter, Negatable, WithInputField
| Parameter | Type | Required | Default | Description |
|---|---|---|---|---|
column | string | optional | When file and column parameters are used together, it loads the subnet list from the given .csv. | |
field[a] | string | required | Specifies the field that the CIDR expression runs against. | |
file | string | optional | When file and column parameters are used together, it loads the subnet list from the given .csv. | |
negate | boolean | optional | false | Allows only addresses that are not in the given subnet to pass through. It also allows events without the assigned field to pass through. |
subnet | Array of strings | optional | Specifies the list of IP ranges the CIDR expression matches with. | |
The parameter name for field can be omitted; the following forms are equivalent:
logscale
cidr("value")and:
logscale
cidr(field="value")cidr() Examples
Matches events for which the ipAddress attributes is in the ip range 192.0.2.0/24
logscale
cidr(ipAddress, subnet="192.0.2.0/24")Matches events for which the ipAddress attributes is in the ip range 192.0.2.0/24 or 203.0.113.0/24
logscale
cidr(ipAddress, subnet=["192.0.2.0/24", "203.0.113.0/24"])
Matches events for which the SRC attributes is one
of those listed in the uploaded file cidrfile.csv
with the subnets in the column cidr-block
logscale
cidr(field=SRC, file="cidrfile.csv", column="cidr-block")