2015-04-28 03:07 AM
Hi,
I am working on an Informer Report and the for the query, I am trying to filter based on IP Range in Informer.
I wanted to confirm if CIDR based filtering is possible?
Query:
ip.src!='$WEBTIER' (in WHERE query)
or
filter_out('$WEBTIER', 'ip.src'); (in THEN Field)
I know != is expensive and hence i prefer the second option to filter_out() however none of them are working
$WEBTIER is a list of CIDRs
10.x.x.x/23,
11.x.x.x/36,
125.x.x.x
Currently in either of the options above, result is not filtering the IPs that fall in that cidr.
Any help is greatly appreciated.
Thanks,
Uma
2015-04-28 03:20 AM
2015-04-28 07:58 AM
The syntax appears to be valid, however the query will also likely be quite taxing on the system. If this is a one-time needed search, you are at the mercy of the system resources to complete the query - which comprises of a myriad of factors specific to your system architecture and size of your data set. If you intend to run a query like this in the future, a more efficient approach would be to have the Decoder tag those known CIDR nets before the sessions are filed away in the database by leveraging a custom feed. Then you would have significantly quicker responses from your query/report when searching on whatever meta you define that corresponds to that feed.
2015-04-28 07:59 AM