Solved: With a full list of class C IPs, how can i get Spl...

cabowman · ‎09-04-2018

We are searching new environments monthly this means we are blind going in. I can get Splunk to stat out a total list of ips, but i'm not sure how to get it to find all the VLANs. Here is an example search.

sourcetype="bro_conn" src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 | stats count by src_ip | table src_ip

It gives me a list of Private ip addresses in the Bro Conn log. I would like to see all the VLANS that these ips reside on.

for example lets say my search returned:
192.168.0.123
192.168.10.30
192.168.20.32
10.1.0.100
10.10.2.45

i would like to no that 5 total subnets maybe even list them out as
192.168.0
192.168.10
192.168.20
10.1.0
10.10.2

harsmarvania57 · ‎09-05-2018

Hi @cabowman,

Try below query with rex command.

sourcetype="bro_conn" src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 | stats count AS Devices_on_VLAN by src_ip | rex field=src_ip "^(?<VLANS>.*)\."  | table VLANS, Devices_on_VLAN

Below is run anywhere search which is producing desired output based on your requirement

| makeresults | eval src_ip="192.168.0.123"
| append [ | makeresults | eval src_ip="10.10.0.8" ]
| rex field=src_ip "^(?<VLANS>.*)\."

I hope this helps.

Thanks,
Harshil

View solution in original post

FrankVl · ‎09-05-2018

How can you get a list of VLANs, when all you have to go on, is a list of IP addresses? That is simply impossible.

Firstly, because a VLAN is something rather different than a subnet, you seem to mixing the two concepts?

Secondly, because subnets can have arbitrary size (classes only exist in ancient networking textbooks, not in reality). So given just an IP address, it is impossible to determine the subnet it is in.

harsmarvania57 · ‎09-05-2018

I totally agree with @FrankVI, solution which I have provided that is simple solution to extract IP address till 3rd decimal point but not actual VLAN.

harsmarvania57 · ‎09-05-2018

Hi @cabowman,

Try below query with rex command.

sourcetype="bro_conn" src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 | stats count AS Devices_on_VLAN by src_ip | rex field=src_ip "^(?<VLANS>.*)\."  | table VLANS, Devices_on_VLAN

Below is run anywhere search which is producing desired output based on your requirement

| makeresults | eval src_ip="192.168.0.123"
| append [ | makeresults | eval src_ip="10.10.0.8" ]
| rex field=src_ip "^(?<VLANS>.*)\."

I hope this helps.

Thanks,
Harshil

cabowman · ‎09-04-2018

When using this search i get the desired output but it seems like alot more work then it should be. Are there easier ways to do this?

sourcetype="bro_conn" src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 | stats count by src_ip | table src_ip | eval temp=split(src_ip,".") | eval oct1=mvindex(temp,0) | eval oct2=mvindex(temp,1) | eval oct3=mvindex(temp,2) | stats count by oct1,oct2,oct3 | eval VLANS=oct1.".".oct2.".".oct3 | table VLANS, count | rename count as "Devices on VLAN"

mstjohn_splunk · ‎09-04-2018

Hi @cabowman,

Would you mind posting some search examples that you have tried (anonymized, of course)? You'll have a better chance getting your question answered if our community has something to go on.

Thanks for posting!

With a full list of class C IPs, how can i get Splunk to show me how many VLANs are in the data?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms