Use Global IP filters
You can use filter rules to allow or ignore network data capture based on IP address.
Define a list that limits data capture to IP addresses on that list. Define a Deny that ignores data capture from IP addresses on the list and allow data capture from all other IPs.
Allow list and Deny list IP filters follow these rules:
Allow list | Deny list | Filter results |
---|---|---|
No | No | Captures all IPs |
No | Yes | Captures all IPs except blocked items |
Yes | No | Captures only allowed IPs |
Yes | Yes | Captures all allowed IPs or IPs not on deny list |
Each filter entry can be a specific IP (v4 or v6) address, or a range of addresses using the following forms:
- 192.168.2.* (IPv4 octets may use * to indicate wildcard)
- 10.20.30.0/24 (IPv4 CIDR notation)
- 2001:0db8:85a3:0042:1000:8a2e:0370:7300/120 (IPv6 CIDR notation)
For more information, see Include or exclude specific incoming data.
Stream aggregation methods | Distributed Forwarder Management |
This documentation applies to the following versions of Splunk Stream™: 8.0.1, 8.0.2, 8.1.0, 8.1.1, 8.1.3
Feedback submitted, thanks!