FAQ: How do I omit RFC-1819 addresses from my search results?

LogScale Documentation Full Library Knowledge Base Release Notes Integrations Query Examples Training API GraphQL API Contacting Support

Reading time: 0 minutes

You can use the cidr() function to omit internal IP addresses when focusing on remote IP addresses:

#event_simpleName=UserLogon 
| !cidr(RemoteAddressIP4, subnet=["224.0.0.0/4", "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/32", "169.254.0.0/16", "0.0.0.0/32"])

Knowledge Base

FAQ: How do I omit RFC-1819 addresses from my search results?

Enter search term