Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to use tags to identify complete subnets?

adamblock2
Path Finder
‎01-28-2016 01:30 PM

I am curious whether tags can be used to identify complete subnets. For example, I would like to assign the tag name "dmz1" to the field value pair dest_ip=10.1.0.0/16. I would also like to assign the same tag name "dmz1" to the field value pair src_ip=10.1.0.0/16.

After creating the tags, I ran the search sourcetype=cisco:asa tag::src_ip=dmz1 and received results. I ran the searchsourcetype=cisco:asa tag::dest_ip=dmz1 and I also ran results. When I attempted the search sourcetype=cisco:asa tag::src_ip=dmz1 tag::dest_ip!=dmz1, no results were returned.

I did verify that when tag::src_ip=dmz1, there are destination IP addresses which are not included in the subnet 10.1.0.0/16.

Is there some aspect of my logic which is incorrect? Assistance would be appreciated.

Thank you.

0 Karma
Reply

rakeshh123
Path Finder
‎02-02-2016 03:58 AM

hi adamblock2,
I can give the answer to your question...........let me explain you by taking my example.....Below u can see i have one categorytag...given to categoryId= Accessories .....also see the number of events and tags in the below diagrams

alt text

and next same tag is given to another categoryId=Strategy

when you take a tag for both events with a name it will take both events or none at all .......solution to ur problem naming two tags one with source_ip and destination_ip......

index=* tag= categorytag AND categoryID!=STRATEGY--------no results u r doing a(intersection) !a==definetely null
i have created another tag as actiontag where action =purchase ( like destination_ip)
i write query like this index=* tag=categorytag NOT tag=actiontag

then u will get all the results for categories in category tag that doesnt have purchases...(ie..source ip).........let me know if it works

Preview file
1 KB
0 Karma
Reply

renjith_nair
Legend
‎01-28-2016 09:59 PM

When you use tags, it just ORing the field values pair. You can verify that in the job inspector where it evaluates to real value.

So in your case , when you search sourcetype=cisco:asa tag::src_ip=dmz1 , your final search should be (src_ip=10.1.0.0/16 OR dest_ip=10.1.0.0/16) and when you negate one , then most probably it cancels each other( can't verify though).

Can you check your job inspector to see what the final search (normalized search) splunk executes? that should give you a hint

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply

adamblock2
Path Finder
‎01-29-2016 07:12 AM

I understand how if I were to say "tag=dmz1" that Splunk would OR this. However, if I specifically state "tag::src_ip=dmz1", wouldn't/shouldn't that direct Splunk to only apply dmz1 to src_ip?

0 Karma
Reply

renjith_nair
Legend
‎01-29-2016 07:10 PM

Sorry but I dont' have a splunk env at the moment to try . But can you search that and see what job inspector says ?

---
What goes around comes around. If it helps, hit it with Karma 🙂
0 Karma
Reply
Get Updates on the Splunk Community!

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer at Splunk .conf24 ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...

Combine Multiline Logs into a Single Event with SOCK: a Step-by-Step Guide for ...

Combine multiline logs into a single event with SOCK - a step-by-step guide for newbies Olga Malita The ...