- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- iterate over extracted value from field and then p...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Dear splunkers ,
I have one field in which there is value like net = 192.168.128.0/24, from this field value pair i want new field (New ip) in which the value must be 192.168.128.0 , 192.168.128.1 , 192.168.128.2 , 192.168.128.3 ............................................ 192.168.128.24 ,
I mean the field value must be printed from 0 to 24 with 192.168.128. as prefix and 24 is susceptible to change .
Warm Regards
Kannu
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would say doublecheck your interpretation of 192.168.128.0/24 as you don't want to show wrong data in your report/dashboard.
If for some reason, that comes out to be 192.168.128.0 to 192.168.128.23, then you can do like this
| gentimes start=-1 | eval net = "192.168.128.0/24" | table net | rex field=net "^(?<ip>(\d{1,3}\.){3})(?<start>\d+)\/(?<end>\d+)" | eval temp=mvrange(start,end) | eval ip=ip.mvjoin(temp," ".ip) | makemv ip| table net ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Splunk Enterprise Security (ES) comes with a python script called expandiprange that you can access for this, but I am not sure what the SPL front end is for it (you may have to build one).
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I would say doublecheck your interpretation of 192.168.128.0/24 as you don't want to show wrong data in your report/dashboard.
If for some reason, that comes out to be 192.168.128.0 to 192.168.128.23, then you can do like this
| gentimes start=-1 | eval net = "192.168.128.0/24" | table net | rex field=net "^(?<ip>(\d{1,3}\.){3})(?<start>\d+)\/(?<end>\d+)" | eval temp=mvrange(start,end) | eval ip=ip.mvjoin(temp," ".ip) | makemv ip| table net ip
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes this is what i want thank you somesoni2
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
@kannu -
The second part of this answer will give you some background about CIDR notation.
The first part is to tell you it isn't possible to do exactly what you are talking about, because multivalue fields are generally limited to 100 values, and /24 would be 255 values.
I'm not saying you can't get the list, I'm saying it won't all fit in one multivalue field. So you need to rethink your strategy. It COULD be done as a space-delimited list, but you need to explain your use case a little more to be sure we are giving you what you really need.
How is this list going to be used?
In CIDR notation, 192.168.128.0/24 means "starting at 192.168.128.0 with the highest 24 bits masked and therefore ignored".
That is equivalent to "starting at 192.168.128.0 with the lowest 8 bits able to be specified"
So
192.168.128.0/24
is equivalent to
192.168.128.0 - 255
Reference here - https://whatismyipaddress.com/cidr
note - IPs ending in 0 and 255 are special cases that we're going to ignore for the rest of this discussion. There's lots more reading elsewhere if you care to learn it, but they are more about usage and they don't affect the definition of a CIDR.
If you wanted to deal with any number other than 24, it gets more complicated.
23 indicates that there is one bit of the third number that can be flipped, so....
192.168.128.0/23
means
192.168.128.0 thru 255
192.168.129.0 thru 255
26 indicates that there are only six bits of the last number that can be flipped, a total of 64 values, so....
192.168.128.0/26
means
192.168.128.0 - 63
...and...
192.168.128.128/26
means
192.168.128.128 - 191
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you saying that you would like a command/tool to take a CIDR and explode it into a CSV if individual IP Addresses?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not explode just to make new field with mentioned values during running SPL .
In python that can be achieved using for loop but how to do that in splunk
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
And you realize that 192.168.128.0/24 refers to 192.168.128.0 through 192.168.128.255, not through 192.168.128.24 and one like 192.168.0.0/16 would mean all addresses from 192.168.0.0 through 192.168.255.255, right? I'm just making sure because from your description it appears that is not the case.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
192.168.128.0/24 means from 192.168.128.0 to 192.168.128.24 .
Those 24 values i want under one field name .
question is simple guys there is one field value pair net = 192.168.128.0/24 .
from that i want to create new field which would have only 24 values i.e. from 192.168.128.0 to 192.168.128.24
for example
New field = 192.168.128.1
192.168.128.2
192.168.128.3
192.168.128.4
192.168.128.5
192.168.128.6
192.168.128.7
192.168.128.8
192.168.128.9
.
.
.
.
.
.
.
.
.
New field = 192.168.128.24
Routing logs with Splunk OTel Collector for Kubernetes
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
