Filter Logfiles for different ip subnets?

tofu1 · July 2, 2021, 8:13am

Hello everybody,

my task is to filter our logs against different ip subnets in form 1.1.1.0/16. (only an example).
Is there any possible way to do this via grafana and loki?
I am new to loki, so i have to learn much new things.
The only thing i have already done is to filter against one single ip.

Can anybody help me please?

Thanks in advance.

kavikanagaraj · July 2, 2021, 10:45am

Hi @tofu1
Currently Loki doesn’t support ip matcher with subnet. It’s under implementation. More discussion here.

tofu1 · July 2, 2021, 11:47am

Hi @kavikanagaraj,

thx for the infos.

tofu1 · August 9, 2021, 5:56pm

Hi @kavikanagaraj ,

i have seen the latest update.
Thats awesome. IP Matcher looks good.

Unfortunately i need a little bit help.
I want to filter for a few cidr.

I want to filter incoming traffic from different subnets over one day.
My example query:

topk(100, sum by (sourceip,destport,protoname) (count_over_time({job=~“syslog”, host=“OPNsense.localhost”,action=“block”,interface=“igb0”,direction=“in”} | sourceip = ip(“192.168.1.0/24”) , ip(“192.168.4.0/24”) , ip(“192.168.30.0/24”) , ip(“193.222.200.0/23”) [1d])))

One cidr is working fine, but not more.

This is working:

topk(100, sum by (sourceip,destport,protoname) (count_over_time({job=~“syslog”, host=“OPNsense.localhost”,action=“block”,interface=“igb0”,direction=“in”} | sourceip = ip(“193.222.200.0/23”) [1d])))

Perhabs you have an idea?

Thanks in advance.

tofu1 · August 9, 2021, 6:23pm

Ok, i found an workaround for the beginning.

topk(100, sum by (sourceip,destport,protoname) (count_over_time({job=~“syslog”, host=“OPNsense.localhost”,action=“block”,interface=“igb0”,direction=“in”} | sourceip = ip(“192.168.1.0/24”) or sourceip = ip(“192.168.4.0/24”) or sourceip = ip(“192.168.30.0/24”) or sourceip = ip(“193.222.200.0/23”) [1d])))

Perhabs anyone have a better solution?

From the “Logql Matching IP” website:

A CIDR specification. Examples: ip("192.51.100.0/24") , ip("2001:db8::/32")

kavikanagaraj · August 27, 2021, 8:11am

Hi @tofu1. Thanks for trying out IP matcher.

If you want to match multiple CIDR pattern you can always chain together as multiple label filters.

e.g:

| sourceip = ip(“192.168.1.0/24”) | sourceip=ip(“192.168.4.0/24”) | sourceip =ip(“192.168.30.0/24”) | sourceip = ip(“193.222.200.0/23”

Hope that should solve your problem!

tofu1 · October 4, 2021, 8:22pm

Thanks @kavikanagaraj

system · October 4, 2022, 8:23pm

This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Using regex to make logs looks cleaner Grafana Loki	1	743	February 21, 2023
Is this possible with loki / grafana Grafana	0	500	August 29, 2020
Is it possible to match domain names when using parser expression pattern？ Grafana Loki	1	190	October 14, 2023
Get unique value through pattern Grafana Loki	2	103	July 24, 2024
How to extract matched string from logs and display it in table Grafana Loki loki , grafana , logql	1	706	May 29, 2024

Filter Logfiles for different ip subnets?

Related topics