https://community.splunk.com/t5/Splunk-Search/Best-way-to-filter-clientips-as-internal-external-and-group-them/m-p/54453#M13305 <P>Hi, I was reading thru this and is very helpful. One question i have is, you have mentioned match_type=CIDR(clientip). If i want to mention clientips of both types in the same file, how can i do that? meaning some are regular IPs and some are CIDR blocks..The version i have is - version 5.0.2.3</P> Sat, 22 Jun 2013 20:09:52 GMT xvxt006 2013-06-22T20:09:52Z https://community.splunk.com/t5/Splunk-Search/Best-way-to-filter-clientips-as-internal-external-and-group-them/m-p/54450#M13302 <P>Given a set of clientip values from internal IP's, external IP's, as well as different classes of internal networks on different interfaces...</P> <P>a) what's the cleanest and most efficient way to classify each clientip as internal/external? </P> <P>and </P> <P>b) what's the best way to put an actual class=A, class=B class=C field in there? </P> Sat, 05 Mar 2011 10:03:07 GMT https://community.splunk.com/t5/Splunk-Search/Best-way-to-filter-clientips-as-internal-external-and-group-them/m-p/54450#M13302 sideview 2011-03-05T10:03:07Z https://community.splunk.com/t5/Splunk-Search/Best-way-to-filter-clientips-as-internal-external-and-group-them/m-p/54451#M13303 <P>In 4.0 and 4.1, the best way to classify a field, like clientip is through eventtypes. For example, in splunk's own app to monitor the splunk.com website we use eventtypes like:</P> <PRE><CODE>[clientip-internal] search = clientip=64.127.105.32/27 [clientip-nonroutable] search = clientip=10.0.0.0/8 OR clientip=172.16.0.0/12 OR clientip=192.168.0.0/16 [clientip-public] search = eventtype!=clientip-internal eventtype!=clientip-nonroutable </CODE></PRE> <P>With these, you can construct a field like clientip_class through the search fragment: <CODE>... | eval clientip_class = mvfilter(clientip LIKE "clientip-%") | ...</CODE></P> <P>Now, another alternative is to use scripted lookups, since native lookup tables don't support CIDR netblocks or wildcards in 4.0 and 4.1.</P> <P>In 4.2, the best practice is to use lookup tables. For example, in transforms.conf add:</P> <PRE><CODE>[ipdomain] filename = clientipclass.csv match_type = CIDR(clientip) </CODE></PRE> <P>And in clientipclass.csv have:</P> <PRE><CODE>clientip,class 10.0.0.0/8,internal 172.16.0.0/12,internal 192.168.0.0/16,internal 64.127.105.32/27,corporate </CODE></PRE> <P>Of course, in this case you'll have to set min_matches and default_value in transforms.conf to fill in the default of external.</P> Sat, 05 Mar 2011 11:52:19 GMT https://community.splunk.com/t5/Splunk-Search/Best-way-to-filter-clientips-as-internal-external-and-group-them/m-p/54451#M13303 Stephen_Sorkin 2011-03-05T11:52:19Z https://community.splunk.com/t5/Splunk-Search/Best-way-to-filter-clientips-as-internal-external-and-group-them/m-p/54452#M13304 <P>Thanks a ton. I knew some little bits of it but I was hoping someone would write it all up and you came through huge. <span class="lia-unicode-emoji" title=":grinning_face_with_big_eyes:">😃</span></P> Sat, 05 Mar 2011 13:24:32 GMT https://community.splunk.com/t5/Splunk-Search/Best-way-to-filter-clientips-as-internal-external-and-group-them/m-p/54452#M13304 sideview 2011-03-05T13:24:32Z https://community.splunk.com/t5/Splunk-Search/Best-way-to-filter-clientips-as-internal-external-and-group-them/m-p/54453#M13305 <P>Hi, I was reading thru this and is very helpful. One question i have is, you have mentioned match_type=CIDR(clientip). If i want to mention clientips of both types in the same file, how can i do that? meaning some are regular IPs and some are CIDR blocks..The version i have is - version 5.0.2.3</P> Sat, 22 Jun 2013 20:09:52 GMT https://community.splunk.com/t5/Splunk-Search/Best-way-to-filter-clientips-as-internal-external-and-group-them/m-p/54453#M13305 xvxt006 2013-06-22T20:09:52Z