How to filter message by cp_id - to exclude some traffic

Answered
Follow
Avatar
Jason Glover

I have a query that is corrupted by excessive noise from internal traffic. I want to limit the results by cp_IP addresses which are known to belong to our company networks.

So I thought something like this would do the trick ..

_sourceCategory=IIS_Logs | parse "GET /p/* " as handle | where length(handle) > 1 and cp_id not in ("120.138.24.181","50.54.162.242","124.157.127.78","124.157.108.250") | count by c_ip | sort by _count desc

Turns out - no.

I can't tell if the reason is that I can't represent the IP addresses as strings. I've tried a lot of different variations.

0

Comments

2 comments

Sort by Date Votes
  • Avatar
    Jason Glover

    Duh!

    _sourceCategory=IIS_Logs and not (c_ip ="120.138.24.181" or c_ip ="50.54.162.242" or c_ip = "124.157.127.78" or c_ip ="124.157.108.250") | parse "GET /p/* " as handle | where length(handle) > 1 | count by handle | sort by _count desc

    1
    Comment actions Permalink
  • Avatar
    Dwayne Hoover

    Hey Jason,
    Glad you found the answer. One suggestion, we also have a couple of CIDR operators that can be helpful in these situations. Have a look: https://service.sumologic.com/help/CIDR_Operator.htm

    Thanks!

    0
    Comment actions Permalink

Please sign in to leave a comment.

Didn't find what you were looking for?

New post