splunk syntax search a subnet

trojan_81 · ‎12-19-2019

All,

I want search a subnet over all indexes and sourcetypes. The subnet is 5.5.0.0/16
How would the query look so I can identify any IP within the 5.5.0.0/16 subnet?

thanks in advance

tbavarva · ‎12-21-2019

Below query is written considering search for 5.5.0.0/16 subnet over any index and sourcetype and IP address is not extracted in particular field (src and dest).

index=* sourcetype=* "5.5.0.0/16"

If your events have extracted IP address in src and dest fields, you can go for the query what @to4kawa has mentioned in its post.

Regards,
Tejas

to4kawa · ‎12-21-2019

TERM("5.5.0.0/16")

Is this possible?

martynoconnor · ‎12-21-2019

I'm not sure about using TERM for subnets. TERM instructs Splunk to not view the dot as a minor breaker, but instead to literally search for that IP, not for 5 5 0 0.

to4kawa · ‎12-21-2019

thanks, @martynoconnor
that's right.
Search failed.

to4kawa · ‎12-20-2019

index=your_index sourcetype=your_sourcetype src="5.5.0.0/16" OR dst="5.5.0.0/16"

splunk can resolve prefix.

splunk syntax search a subnet

More Ways To Control Your Costs With Archived Metrics | Register for Tech Talk

.conf24 | Personalize your .conf experience with Learning Paths!

Threat Hunting Unlocked: How to Uplevel Your Threat Hunting With the PEAK Framework ...