I am curious whether tags can be used to identify complete subnets. For example, I would like to assign the tag name "dmz1" to the field value pair `dest_ip=10.1.0.0/16`. I would also like to assign the same tag name "dmz1" to the field value pair `src_ip=10.1.0.0/16`.
After creating the tags, I ran the search `sourcetype=cisco:asa tag::src_ip=dmz1` and received results. I ran the search`sourcetype=cisco:asa tag::dest_ip=dmz1` and I also ran results. When I attempted the search `sourcetype=cisco:asa tag::src_ip=dmz1 tag::dest_ip!=dmz1`, no results were returned.
I did verify that when `tag::src_ip=dmz1`, there are destination IP addresses which are not included in the subnet 10.1.0.0/16.
Is there some aspect of my logic which is incorrect? Assistance would be appreciated.
Thank you.
↧