- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to count/map internal traffic for a range of I...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to count/map internal traffic for a range of IP addresses?
I have the following fields within splunk: srcaddr and dstaddr, and I would like to map the number of internal to internal connections. I.e all internal traffic from srcaddr to any dstaddr on the IPs 10.0.0.0/8 and 198.168.0.0/16.
How would I filter for and compare these variables?
Cheers.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First we need to find the internal to internal connections. One way we can do this with the cidrmatch function in a where command like so:
base search | where (cidrmatch("10.0.0.0/8",srcaddr) OR cidrmatch("192.168.0.0/16", srcaddr)) AND (cidrmatch("10.0.0.0/8",dstaddr) OR cidrmatch("192.168.0.0/16", dstaddr))
Now I'm not sure what you mean by map the number of connections exactly, but from here you could then add a | stats count to get the count of internal to internal connections, or do any other statistical function. (If you could clarify more of what you want I could have a better recommendation)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi acharlieh, I've tried using cidrmatch(), but I don't get any hits for the following index = main | where cidrmatch("192.168.0.0/16",srcaddr), even though there is data with IP addresses in that range under the main index.
Using where like(srcaddr,"192.168.%") returns results, but doesn't seem to be the best solution.
Also, yes I want to essentially get a count of all internal to internal connections.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I wonder if the extraction for srcaddr has a trailing space in it... compare the output of these queries:
| noop | stats count | eval srcaddr="192.168.12.1 " | where like(srcaddr,"192.168.%")
| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",srcaddr)
| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",trim(srcaddr))
| noop | stats count | eval srcaddr="192.168.12.1" | where cidrmatch("192.168.0.0/16",srcaddr)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could the issue be that the srcaddr is being saved as a string?
Is there a way to force Splunk to save the two fields srcaddr and dstadd as IPs?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
