topic How to remove overlapping address ranges from a field of address ranges? in Splunk Search

How to remove overlapping address ranges from a field of address ranges?

cofisher — Mon, 06 Nov 2017 20:06:22 GMT

I have a field of address ranges where i want to dedup any that overlap. For example:
10.10.20.0/23
10.10.20.160/27
10.10.20.192/26
10.10.20.64/26
10.10.21.0/26
The first range, 10.10.20.0/23, contains all the other list of ranges so I want to get rid of all the other ranges, 10.10.20.160/27, 10.10.20.192/26, 10.10.20.64/26, 10.10.21.0/26.

Re: How to remove overlapping address ranges from a field of address ranges?

shaskell_splunk — Tue, 07 Nov 2017 00:45:36 GMT

It would be helpful to understand the use case. What is the problem you're trying to solve?

You could create a custom search command using a utility like Python netaddr, more specifically IP Sets

>>> from netaddr import *
>>> ips = [IPNetwork('10.10.20.0/23'),IPNetwork('10.10.20.160/27'),IPNetwork('10.10.20.192/26'),IPNetwork('10.10.20.64/26'),IPNetwork('10.10.20.64/26'),IPNetwork('10.10.21.0/26')]
>>> print IPSet(ips)
IPSet(['10.10.20.0/23'])

Re: How to remove overlapping address ranges from a field of address ranges?

bsinkk — Tue, 17 Apr 2018 20:20:29 GMT

Yes, I know I am posting to an old thread.

Use case 1:
I have an ACL that has multiple lines that may contain overlaps and I want to streamline the list.

Use case 2:
I have two tools.

The first tool allows overlapping ranges and and determines meta data by the most restrictive.
example..
10.10.0.0/22 Production
10.10.1.0/24 Production_webservers

if the address is 10.10.0.10, it will use the meta of Production. Easy...

Tool two doesn't like the overlap, so the same list would have to be split into multiples with no overlap.
example..
10.10.0.0/24 Production
10.10.1.0/24 Production_webservers
10.10.2.0/23 Production

Crazy, right?