How to filter message by cp_id - to exclude some trafficAnswered
I have a query that is corrupted by excessive noise from internal traffic. I want to limit the results by cp_IP addresses which are known to belong to our company networks.
So I thought something like this would do the trick ..
_sourceCategory=IIS_Logs | parse "GET /p/* " as handle | where length(handle) > 1 and cp_id not in ("220.127.116.11","18.104.22.168","22.214.171.124","126.96.36.199") | count by c_ip | sort by _count desc
Turns out - no.
I can't tell if the reason is that I can't represent the IP addresses as strings. I've tried a lot of different variations.
Glad you found the answer. One suggestion, we also have a couple of CIDR operators that can be helpful in these situations. Have a look: https://service.sumologic.com/help/CIDR_Operator.htm
Please sign in to leave a comment.