How does one search for a CIDR range of addresses?

samalchow · ‎04-02-2014

If I want to search for a range of addresses, say anything in 10.0.1.0/24 from anywhere in the log, how do you do that? I can't find anything that works.

lball · ‎01-05-2018

You can frame the search with wild cards. Example: src_ip=10.1.2.[wcrd] for a /24 CIDR range or src_ip=10.7.[wcrd].[wcrd] for a /16 CIDR range, etc.

[wcrd] = *

(I was having trouble getting the * to show when using more than 1 in the IP addresses.)

dfrankekcg · ‎07-12-2016

If the IP ranges are consecutive you can use an online CIDR calculator to get the CIDR notation to use. Example: to search where src_ip is between 127.0.120.0 and 127.0.122.0, use src_ip=127.0.120.0/23

Ayn · ‎04-02-2014

You can't do CIDR defined search on freetext. You can however do it if you have the IP addresses you want to match against in extracted fields. In other words,

10.0.0.0/24

won't work, but

src_ip=10.0.0.0/24

will.

How does one search for a CIDR range of addresses?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms