Splunk Search

splunk syntax search a subnet

trojan_81
Path Finder

All,

I want search a subnet over all indexes and sourcetypes. The subnet is 5.5.0.0/16
How would the query look so I can identify any IP within the 5.5.0.0/16 subnet?

thanks in advance

Tags (2)
0 Karma

tbavarva
Path Finder

Below query is written considering search for 5.5.0.0/16 subnet over any index and sourcetype and IP address is not extracted in particular field (src and dest).

index=* sourcetype=* "5.5.0.0/16"

If your events have extracted IP address in src and dest fields, you can go for the query what @to4kawa has mentioned in its post.

Regards,
Tejas

0 Karma

to4kawa
Ultra Champion
TERM("5.5.0.0/16")

Is this possible?

0 Karma

martynoconnor
Communicator

I'm not sure about using TERM for subnets. TERM instructs Splunk to not view the dot as a minor breaker, but instead to literally search for that IP, not for 5 5 0 0.

0 Karma

to4kawa
Ultra Champion

thanks, @martynoconnor
that's right.
Search failed.

0 Karma

to4kawa
Ultra Champion
index=your_index sourcetype=your_sourcetype src="5.5.0.0/16" OR dst="5.5.0.0/16"

splunk can resolve prefix.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...