topic Re: Search for multiple IP ranges in Splunk Search

Search for multiple IP ranges

bsteelz93 — Wed, 30 Mar 2011 05:15:38 GMT

I am looking for the best way to search multiple IP ranges. Currently I am using rex as follows

sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100

This works as intended and will show every value where the last octet is >=0 or <=100. I have 2 quesitons:

[1] How can I make so I could search many ranges? Something like:

sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100
sourcetype=mysourcetype 2.*.*.* | rex field=ip "2.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100

[2]. Is there a way to make so its not this range?

Re: Search for multiple IP ranges

dwaddle — Wed, 30 Mar 2011 05:46:55 GMT

If you can express what you're looking for in CIDR notation, Splunk is smart enough to do this pretty much itself using where and cidrmatch. See http://www.splunk.com/base/Documentation/latest/SearchReference/Where for more info.

But, if you really want to do octet ranges, something like this should work as a more generalized rule:

sourcetype=mysourcetype 
| rex field=ip "(?<ip_octet1>\d+)\.(?<ip_octet2>\d+)\.(?<ip_octet3>\d+)\.(?<ip_octet4>\d+)" 
| search ( ( ip_octet1 >= 204 ip_octet1 <=207 ip_octet3 >=70 ) OR ip_octet3=105 )

You can perform arbitrarily complex boolean expressions of AND, OR, and NOT to get your point across, as long as you properly wrap it with parentheses.

But, hopefully, the CIDR approach is much more workable for you.

Re: Search for multiple IP ranges

southeringtonp — Wed, 30 Mar 2011 07:32:13 GMT

CIDR matching as dwaddle suggests is the simplest if you can get it down to CIDR blocks.

Another option would be to break out your range definitions into eventtypes, or to build a lookup table and search on the output -- look here:
http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table

Re: Search for multiple IP ranges

bsteelz93 — Fri, 01 Apr 2011 00:46:05 GMT

great. I am just wondering from if from a performance perspective whats best. If I do cidr then I could do src=1.1.1.1/8. So my questions is would it be best to do cidrmatch(src, 1.1.1.1/8) or src=1.1.1.1/8?