Filter Events Using CIDR Subnets - Example 4

Filter events using CIDR subnets with negation to match events not in a given IP range

Query

logscale
!cidr(ipAddress, subnet="192.0.2.0/24")

Introduction

The cidr() function can be used to filter events using CIDR subnets and is used for both IPv4 and IPv6 addresses.

In this example, the cidr() function is used with a negation to match events for which the ipAddress attributes is not in a given IP range.

Step-by-Step

  1. Starting with the source repository events.

  2. flowchart LR; %%{init: {"flowchart": {"defaultRenderer": "elk"}} }%% repo{{Events}} 0["Expression"] result{{Result Set}} repo --> 0 0 --> result style 0 fill:#ff0000,stroke-width:4px,stroke:#000;
    logscale
    !cidr(ipAddress, subnet="192.0.2.0/24")

    Matches events for which the ipAddress field is not in the IP range 192.0.2.0/24.

  3. Event Result set.

Summary and Results

The query is used to search on specific subnets within the network, uptimizing query performance. The search will only be performed on the IP addresses that does not fall in the range of the specified subnet filter.