New addition to our Search Language - IN keyword

We wanted to give you a simple and easy way, that you can search through your log list.

A use case in life would be searching through your Firewall logs.

Original query:

    where(connection_status=/accept/i AND direction!=/outbound/i AND
source_address!=/10\..*|127\..*|172\.(1[6-9]|2[0-9]|3[01])\..*|192\.168\..*/ AND
destination_port=/3389|5938|5900/)  groupby(geoip_country_name) limit(1000)

A new equivalent query with the list will:

  • Simply enumerate your private IP addresses and ports
  • No need to use regex for sub-net checking
  • Operates with IP addresses and numeric ports rather than strings
  • No need of specifying keys each time

where(connection_status=/accept/i AND direction!=/outbound/i AND source_address NOT IN [IP(10.0.0.0/24), IP(127.0.0.0/24), IP(172, 16.0.0/16), IP(192.168.0.0/16)] AND destination_port IN [3389, 5938, 5900]) groupby(geoip_country_name) limit(1000)

Let us know what do you think :slight_smile:

leql_in_list

8 Likes