- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Trying to search by CIDR but getting no results
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So I did a search by one IP in this range, and I get matches. My thought was to try searching for any IP in the whole range that matched this criteria, but then I get nothing, not even the IP that I know matches. Am I using the wrong format for searching?
index=* scr_ip=10.0.0.0/16 web_app=YouTube
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?
index=* scr_ip=10.0.0.0/8 web_app=YouTube
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?
index=* scr_ip=10.0.0.0/8 web_app=YouTube
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried with the /8 as well. tried going down to the class C where I know the IP is, and get nada. But when I search by the one actual IP, I get data
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Grr. That's weird.
See this post here:
https://answers.splunk.com/answers/23554/cidr-match.html
I've used that notation hundreds of times.
Is your src_ip being extracted correctly?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think it is, as I use it in the Cisco security app without an issue. The logs that have this data, are the same that I use to feed that app, just was trying to do it in the main search app, to create a dashboard for the boss.
Going to try something else, omitting the SRC IP, and see if it will give me that as a stats.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So in testing, seems the webapp field was causing a conflict (comes from the IPS events in the ASA), changing from that to youtube.com, solved the issue. got the results I was expecting. Could be a bug in that app, will check with Cisco to be sure.
thanks for your help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
try some thing like this,
index= wep_app=YouTube src_ip="10.0.0.*" OR src_id="known ip" OR src_id="known ip2" ....
Introducing the 2024 SplunkTrust!
Introducing the 2024 Splunk MVPs!
Splunk Custom Visualizations App End of Life
