- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
Filtering CIDR in Netwitness Informer
Hi,
I am working on an Informer Report and the for the query, I am trying to filter based on IP Range in Informer.
I wanted to confirm if CIDR based filtering is possible?
Query:
ip.src!='$WEBTIER' (in WHERE query)
or
filter_out('$WEBTIER', 'ip.src'); (in THEN Field)
I know != is expensive and hence i prefer the second option to filter_out() however none of them are working
$WEBTIER is a list of CIDRs
10.x.x.x/23,
11.x.x.x/36,
125.x.x.x
Currently in either of the options above, result is not filtering the IPs that fall in that cidr.
Any help is greatly appreciated.
Thanks,
Uma
- Tags:
- Community Thread
- Discussion
- Forum Thread
- informer
- NetWitness
- NW
- NWP
- RSA NetWitness
- RSA NetWitness Platform
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
The syntax appears to be valid, however the query will also likely be quite taxing on the system. If this is a one-time needed search, you are at the mercy of the system resources to complete the query - which comprises of a myriad of factors specific to your system architecture and size of your data set. If you intend to run a query like this in the future, a more efficient approach would be to have the Decoder tag those known CIDR nets before the sessions are filed away in the database by leveraging a custom feed. Then you would have significantly quicker responses from your query/report when searching on whatever meta you define that corresponds to that feed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Email to a Friend
- Report Inappropriate Content
