I am trying to do a query on traffic excluding RFC 1918 addresses. The problem is the raw data has CheckPoint "object names" rather than IP addresses in the "dst" field. So the raw data field might contain alphanumeric characters like for example: dst=g-IP-10.x.x.x instead of simply dst=10.0.0.1 .
I want to search and return only results from this field that have non-RFC 1918 addresses even if they are alphanumeric. I'm new to searching Splunk and using regex/rex operators in search is not my strong suit yet.
I tried this but it doesn't exclude alphanumeric results. I think I need some sort of regex/rex expression incorporated somehow:
index="checkpoint" "action=accept" index="checkpoint" "action=accept" (src=10.2.0.0/13 OR
src=10.1.0.0/13) |where (NOT cidrmatch("10.0.0.0/8",dst) AND NOT cidrmatch("172.16.0.0/12",dst) AND NOT
cidrmatch("192.168.0.0/16",dst))
↧