Splunk Search

Trying to search by CIDR but getting no results

bworrellZP
Communicator

So I did a search by one IP in this range, and I get matches. My thought was to try searching for any IP in the whole range that matched this criteria, but then I get nothing, not even the IP that I know matches. Am I using the wrong format for searching?

index=* scr_ip=10.0.0.0/16  web_app=YouTube
0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?

index=* scr_ip=10.0.0.0/8 web_app=YouTube

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?

index=* scr_ip=10.0.0.0/8 web_app=YouTube
0 Karma

bworrellZP
Communicator

Tried with the /8 as well. tried going down to the class C where I know the IP is, and get nada. But when I search by the one actual IP, I get data

0 Karma

javiergn
SplunkTrust
SplunkTrust

Grr. That's weird.
See this post here:

https://answers.splunk.com/answers/23554/cidr-match.html

I've used that notation hundreds of times.
Is your src_ip being extracted correctly?

0 Karma

bworrellZP
Communicator

I think it is, as I use it in the Cisco security app without an issue. The logs that have this data, are the same that I use to feed that app, just was trying to do it in the main search app, to create a dashboard for the boss.

Going to try something else, omitting the SRC IP, and see if it will give me that as a stats.

0 Karma

bworrellZP
Communicator

So in testing, seems the webapp field was causing a conflict (comes from the IPS events in the ASA), changing from that to youtube.com, solved the issue. got the results I was expecting. Could be a bug in that app, will check with Cisco to be sure.

thanks for your help.

0 Karma

vasanthmss
Motivator

try some thing like this,

index= wep_app=YouTube src_ip="10.0.0.*" OR src_id="known ip" OR src_id="known ip2" ....

V
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...