Splunk Search

Trying to search by CIDR but getting no results

bworrellZP
Communicator

So I did a search by one IP in this range, and I get matches. My thought was to try searching for any IP in the whole range that matched this criteria, but then I get nothing, not even the IP that I know matches. Am I using the wrong format for searching?

index=* scr_ip=10.0.0.0/16  web_app=YouTube
0 Karma
1 Solution

javiergn
SplunkTrust
SplunkTrust

Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?

index=* scr_ip=10.0.0.0/8 web_app=YouTube

View solution in original post

0 Karma

javiergn
SplunkTrust
SplunkTrust

Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?

index=* scr_ip=10.0.0.0/8 web_app=YouTube
0 Karma

bworrellZP
Communicator

Tried with the /8 as well. tried going down to the class C where I know the IP is, and get nada. But when I search by the one actual IP, I get data

0 Karma

javiergn
SplunkTrust
SplunkTrust

Grr. That's weird.
See this post here:

https://answers.splunk.com/answers/23554/cidr-match.html

I've used that notation hundreds of times.
Is your src_ip being extracted correctly?

0 Karma

bworrellZP
Communicator

I think it is, as I use it in the Cisco security app without an issue. The logs that have this data, are the same that I use to feed that app, just was trying to do it in the main search app, to create a dashboard for the boss.

Going to try something else, omitting the SRC IP, and see if it will give me that as a stats.

0 Karma

bworrellZP
Communicator

So in testing, seems the webapp field was causing a conflict (comes from the IPS events in the ASA), changing from that to youtube.com, solved the issue. got the results I was expecting. Could be a bug in that app, will check with Cisco to be sure.

thanks for your help.

0 Karma

vasanthmss
Motivator

try some thing like this,

index= wep_app=YouTube src_ip="10.0.0.*" OR src_id="known ip" OR src_id="known ip2" ....

V
0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...