Splunk Stream

User Manual

This documentation does not apply to the most recent version of Splunk Stream. For documentation on the most recent version, go to the latest release.

Global IP Filters

You can use filter rules to allow or ignore network data capture based on IP address.

Define a whitelist to allow data capture from IP addresses on that list only. Define a blacklist to ignore data capture from IP addressess on the list, and allow data capture from all other IPs.

Whitelist and blacklist IP filters follow these rules:

Whitelist Blacklist Filter results
No No Captures all IPs
No Yes Captures all IPs except blacklist items
Yes No Captures only whitelist IPs
Yes Yes Captures all IPs in whitelist OR IPs not in blacklist

Each filter entry may be a specific IP (v4 or v6) address, or a range of addresses using the following forms:

  • 192.168.2.* (IPv4 octets may use * to indicate wildcard)
  • 10.20.30.0/24 (IPv4 CIDR notation)
  • 2001:0db8:85a3:0042:1000:8a2e:0370:7300/120 (IPv6 CIDR notation)

For more information, see Include or exclude specific incoming data.

Last modified on 13 June, 2020
Stream field details   Distributed Forwarder Management

This documentation applies to the following versions of Splunk Stream: 6.5.0, 6.5.1, 6.6.0, 6.6.1, 6.6.2, 7.0.0, 7.0.1


Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters