Use Global IP filters
You can use filter rules to allow or ignore network data capture based on IP address.
Define a list to allow data capture from IP addresses on that list only. Define a deny list to ignore data capture from IP addresses on the list, and allow data capture from all other IPs.
Allow list and deny list IP filters follow these rules:
Allow list | Deny list | Filter results |
---|---|---|
No | No | Captures all IPs |
No | Yes | Captures all IPs except blocked items |
Yes | No | Captures only allowed IPs |
Yes | Yes | Captures all allowed IPs or IPs not on deny list |
Each filter entry can be a specific IP (v4 or v6) address, or a range of addresses using the following forms:
- 192.168.2.* (IPv4 octets may use * to indicate wildcard)
- 10.20.30.0/24 (IPv4 CIDR notation)
- 2001:0db8:85a3:0042:1000:8a2e:0370:7300/120 (IPv6 CIDR notation)
For more information, see Include or exclude specific incoming data.
Stream aggregation methods | Distributed Forwarder Management |
This documentation applies to the following versions of Splunk Stream™: 7.1.2, 7.1.3, 7.2.0
Feedback submitted, thanks!