Splunk Search

Loop IP address from 10.0.1.0/24 to 10.10.1.0/24 - How to extract events that belong to this IP range?

mahs33
Explorer

I want to extract the events belongs to that IP range 10.0.1.0/24, 10.1.1.0/24, 10.2.1.0/24, upto 10.10.1.0/24 Is CIDR notation suited for it? 10,1,0/24 are common. only value should be looped.

Tags (3)
0 Karma

Richfez
SplunkTrust
SplunkTrust

From other comments, my guess as to the best fit for this use case would be eventtypes, macros or tags.

Eventtypes ad macros can be created from a search. In your case, you could create an eventtype like

[MySpecialIPAddresses]
index=mynetworkindex ip_addr="10.0.1.0/24" OR ip_addr="10.1.1.0/24" OR ...

Finish that trailing set of dots, of course. If you put that in eventtypes.conf, you could then search like

eventtype=MySpecialIPAddresses

And that will get all the events that the preceding "eventtype" search matches.

A Macro could be created with nearly the exact same search string. To you use, you would use the macro name in backticks where you would normally have used the search. So if you created a macro named myIPAddresses just like the above eventtype's search, you could call that like so in a regular search:

`myIPAddresses` | ... do more stuff ...

I will leave tags as an exercise for the user, but since you can't use an actual "regular" search in a tag definition, you'll probably want an eventtype anyway.

0 Karma

masonmorales
Influencer

By extract, do you mean filter in search? If so...
index=yourindex your_ip_field=10.0.1.0/24 OR your_ip_field=10.10.1.0/24

0 Karma

mahs33
Explorer

thank you for your response.. what i need is 10.0.1.0, 10.1.1.0, 10.2.1.0 upto 10.10.1.0 like that .. i need to loop through 1-10

0 Karma

Richfez
SplunkTrust
SplunkTrust

Can you describe what it is you are trying to do? What problem you have that you are trying to solve? A description of what it is you are actually doing would do wonders for the quality of the answers.

You can edit the question directly (click the gears beside the question and select edit) and include more information about what you have, what you are trying to do, what you've tried so far, and what sort of information, report or graph you are trying to get out the back end.

0 Karma

mahs33
Explorer

I want to extract the events belongs to IP range 10.0.1.0/24, 10.1.1.0/24, 10.2.1.0/24, upto 10.10.1.0/24. i want to create a tag for that IP address range to reduce query length.
or i want a to query to loop 10.0 to 10.10 by keeping last 16 bits constant.

0 Karma
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...