Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Loop IP address from 10.0.1.0/24 to 10.10.1.0/24 - How to extract events that belong to this IP range?

mahs33
Explorer
‎05-17-2016 04:39 AM

I want to extract the events belongs to that IP range 10.0.1.0/24, 10.1.1.0/24, 10.2.1.0/24, upto 10.10.1.0/24 Is CIDR notation suited for it? 10,1,0/24 are common. only value should be looped.

Tags (3)
0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-18-2016 10:51 AM

From other comments, my guess as to the best fit for this use case would be eventtypes, macros or tags.

Eventtypes ad macros can be created from a search. In your case, you could create an eventtype like

[MySpecialIPAddresses]
index=mynetworkindex ip_addr="10.0.1.0/24" OR ip_addr="10.1.1.0/24" OR ...

Finish that trailing set of dots, of course. If you put that in eventtypes.conf, you could then search like

eventtype=MySpecialIPAddresses

And that will get all the events that the preceding "eventtype" search matches.

A Macro could be created with nearly the exact same search string. To you use, you would use the macro name in backticks where you would normally have used the search. So if you created a macro named myIPAddresses just like the above eventtype's search, you could call that like so in a regular search:

`myIPAddresses` | ... do more stuff ...

I will leave tags as an exercise for the user, but since you can't use an actual "regular" search in a tag definition, you'll probably want an eventtype anyway.

0 Karma
Reply

masonmorales
Influencer
‎05-17-2016 01:10 PM

By extract, do you mean filter in search? If so...
index=yourindex your_ip_field=10.0.1.0/24 OR your_ip_field=10.10.1.0/24

0 Karma
Reply

mahs33
Explorer
‎05-18-2016 04:41 AM

thank you for your response.. what i need is 10.0.1.0, 10.1.1.0, 10.2.1.0 upto 10.10.1.0 like that .. i need to loop through 1-10

0 Karma
Reply

Richfez
SplunkTrust
SplunkTrust
‎05-18-2016 05:35 AM

Can you describe what it is you are trying to do? What problem you have that you are trying to solve? A description of what it is you are actually doing would do wonders for the quality of the answers.

You can edit the question directly (click the gears beside the question and select edit) and include more information about what you have, what you are trying to do, what you've tried so far, and what sort of information, report or graph you are trying to get out the back end.

0 Karma
Reply

mahs33
Explorer
‎05-18-2016 09:06 AM

I want to extract the events belongs to IP range 10.0.1.0/24, 10.1.1.0/24, 10.2.1.0/24, upto 10.10.1.0/24. i want to create a tag for that IP address range to reduce query length.
or i want a to query to loop 10.0 to 10.10 by keeping last 16 bits constant.

0 Karma
Reply
Get Updates on the Splunk Community!

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

Tuesday, May 14, 2024  |  11AM PT / 2PM ET Register to Attend Join us for this Tech Talk and learn how to ...

.conf24 | Personalize your .conf experience with Learning Paths!

Personalize your .conf24 Experience Learning paths allow you to level up your skill sets and dive deeper ...

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...

WATCH NOWAs AI starts tackling low level alerts, it's more critical than ever to uplevel your threat hunting ...