Splunk Search

Search for multiple IP ranges

bsteelz93
Path Finder

I am looking for the best way to search multiple IP ranges. Currently I am using rex as follows

sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100

This works as intended and will show every value where the last octet is >=0 or <=100. I have 2 quesitons:

[1] How can I make so I could search many ranges? Something like:

sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100
sourcetype=mysourcetype 2.*.*.* | rex field=ip "2.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100

[2]. Is there a way to make so its not this range?

Tags (1)
0 Karma
1 Solution

dwaddle
SplunkTrust
SplunkTrust

If you can express what you're looking for in CIDR notation, Splunk is smart enough to do this pretty much itself using where and cidrmatch. See http://www.splunk.com/base/Documentation/latest/SearchReference/Where for more info.

But, if you really want to do octet ranges, something like this should work as a more generalized rule:

sourcetype=mysourcetype 
| rex field=ip "(?<ip_octet1>\d+)\.(?<ip_octet2>\d+)\.(?<ip_octet3>\d+)\.(?<ip_octet4>\d+)" 
| search ( ( ip_octet1 >= 204 ip_octet1 <=207 ip_octet3 >=70 ) OR ip_octet3=105 )

You can perform arbitrarily complex boolean expressions of AND, OR, and NOT to get your point across, as long as you properly wrap it with parentheses.

But, hopefully, the CIDR approach is much more workable for you.

View solution in original post

southeringtonp
Motivator

CIDR matching as dwaddle suggests is the simplest if you can get it down to CIDR blocks.

Another option would be to break out your range definitions into eventtypes, or to build a lookup table and search on the output -- look here:
     http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table

0 Karma

dwaddle
SplunkTrust
SplunkTrust

If you can express what you're looking for in CIDR notation, Splunk is smart enough to do this pretty much itself using where and cidrmatch. See http://www.splunk.com/base/Documentation/latest/SearchReference/Where for more info.

But, if you really want to do octet ranges, something like this should work as a more generalized rule:

sourcetype=mysourcetype 
| rex field=ip "(?<ip_octet1>\d+)\.(?<ip_octet2>\d+)\.(?<ip_octet3>\d+)\.(?<ip_octet4>\d+)" 
| search ( ( ip_octet1 >= 204 ip_octet1 <=207 ip_octet3 >=70 ) OR ip_octet3=105 )

You can perform arbitrarily complex boolean expressions of AND, OR, and NOT to get your point across, as long as you properly wrap it with parentheses.

But, hopefully, the CIDR approach is much more workable for you.

bsteelz93
Path Finder

great. I am just wondering from if from a performance perspective whats best. If I do cidr then I could do src=1.1.1.1/8. So my questions is would it be best to do cidrmatch(src, 1.1.1.1/8) or src=1.1.1.1/8?

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...