I am looking for the best way to search multiple IP ranges. Currently I am using rex as follows
sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100
This works as intended and will show every value where the last octet is >=0
or <=100
. I have 2 quesitons:
[1] How can I make so I could search many ranges? Something like:
sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100
sourcetype=mysourcetype 2.*.*.* | rex field=ip "2.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100
[2]. Is there a way to make so its not this range?
If you can express what you're looking for in CIDR notation, Splunk is smart enough to do this pretty much itself using where
and cidrmatch
. See http://www.splunk.com/base/Documentation/latest/SearchReference/Where for more info.
But, if you really want to do octet ranges, something like this should work as a more generalized rule:
sourcetype=mysourcetype
| rex field=ip "(?<ip_octet1>\d+)\.(?<ip_octet2>\d+)\.(?<ip_octet3>\d+)\.(?<ip_octet4>\d+)"
| search ( ( ip_octet1 >= 204 ip_octet1 <=207 ip_octet3 >=70 ) OR ip_octet3=105 )
You can perform arbitrarily complex boolean expressions of AND
, OR
, and NOT
to get your point across, as long as you properly wrap it with parentheses.
But, hopefully, the CIDR approach is much more workable for you.
CIDR matching as dwaddle suggests is the simplest if you can get it down to CIDR blocks.
Another option would be to break out your range definitions into eventtypes, or to build a lookup table and search on the output -- look here:
http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table
If you can express what you're looking for in CIDR notation, Splunk is smart enough to do this pretty much itself using where
and cidrmatch
. See http://www.splunk.com/base/Documentation/latest/SearchReference/Where for more info.
But, if you really want to do octet ranges, something like this should work as a more generalized rule:
sourcetype=mysourcetype
| rex field=ip "(?<ip_octet1>\d+)\.(?<ip_octet2>\d+)\.(?<ip_octet3>\d+)\.(?<ip_octet4>\d+)"
| search ( ( ip_octet1 >= 204 ip_octet1 <=207 ip_octet3 >=70 ) OR ip_octet3=105 )
You can perform arbitrarily complex boolean expressions of AND
, OR
, and NOT
to get your point across, as long as you properly wrap it with parentheses.
But, hopefully, the CIDR approach is much more workable for you.
great. I am just wondering from if from a performance perspective whats best. If I do cidr then I could do src=1.1.1.1/8. So my questions is would it be best to do cidrmatch(src, 1.1.1.1/8) or src=1.1.1.1/8?