Problem: Huge list of IP addresses across multiple subnets, how to group and list in order of subnets.
This is what we came up with:
index=dhcp dest_ip="10.0.0.0/8" | where dest != dest_ip | stats count(dest) by dest, dest_ip | eval ipoctet=split(dest_ip, ".") | eval int1=floor(tonumber(mvindex(ipoctet,0))*16777216) | eval int2=floor(tonumber(mvindex(ipoctet,1))*65536) | eval int3=floor(tonumber(mvindex(ipoctet,2))*256) | eval ipv4int=int1+int2+int3+(tonumber(mvindex(ipoctet,3))) | sort ipv4int | table dest, dest_ip, ipv4int
What's wrong with;
...| sort ip(your_ip_field) | ...
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort
/K
What's wrong with;
...| sort ip(your_ip_field) | ...
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort
/K
You can also simplify the search in (at least) the following way (not really that much more efficient, but easier to read);
index=dhcp dest_ip=10.* dest!=dest_ip | ...
Perhaps more can be done - depending on log content and your desired outcome.
Other than it's a simple and far more straightforward solution?