Use Global IP filters
You can use filter rules to allow or ignore network data capture based on IP address.
Define a whitelist to allow data capture from IP addresses on that list only. Define a blacklist to ignore data capture from IP addressess on the list, and allow data capture from all other IPs.
Allow list and deny list IP filters follow these rules:
Whitelist | Blacklist | Filter results |
---|---|---|
No | No | Captures all IPs |
No | Yes | Captures all IPs except deny list items |
Yes | No | Captures only allow list IPs |
Yes | Yes | Captures all IPs in allow list OR IPs not in deny list |
Each filter entry may be a specific IP (v4 or v6) address, or a range of addresses using the following forms:
- 192.168.2.* (IPv4 octets may use * to indicate wildcard)
- 10.20.30.0/24 (IPv4 CIDR notation)
- 2001:0db8:85a3:0042:1000:8a2e:0370:7300/120 (IPv6 CIDR notation)
For more information, see Include or exclude specific incoming data.
Stream aggregation methods | Distributed Forwarder Management |
This documentation applies to the following versions of Splunk Stream™: 7.1.0, 7.1.1
Feedback submitted, thanks!