How-To: Field with Any Value When looking for a field that has been set with any value, use the wildcard match: statuscode = * Non-existant Field To check whether a field exists, negate the wildcard match: statuscode != * Empty Strings There are no null values within LogScale. To look for a field that exists but that does not have an assigned value (i.e. an empty string), search for that explicitly using: statuscode = Exclude RFC1819 and Non-Routable IP Addresses

RFC1918 subnets and non-routable IPs may be addresses that you want to exclude in order to get a better idea of external traffic patterns. To do so, use the cidr() function: 

| !cidr(LocalAddressIP4, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"])
| !cidr(RemoteAddressIP4, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8", "169.254.0.0/16", "0.0.0.0/32"])