https://community.splunk.com/t5/Splunk-Search/IPv6-subnets-and-splunk-searchs/m-p/37527#M178649 <P>Splunk today is IPv4 subnet aware so that if you do a search with something like ip_address = 10.0.0.0/24 .. splunk knows to look for items 10.0.0.0 thru 10.0.0.255 ... NICE ! Now what about IPV6 ... I think the answer is No. my question is when or how can this be done </P> <P>example IPv6_ADDR = 2001:54FF::/48 would look for a whole lot of stuff but something like 2001:54FF:: to 2001:54FF:0000:FFFF:FFFF</P> <P>And this gets instresting as you can show the first part of the IPV6 address as 2001:54FF:0000:0000 or 2001:54ff:: or 2001:54ff:0000::</P> <P>It depends on what the system sending the log spits out ...</P> Thu, 03 Feb 2011 03:00:18 GMT g_prez 2011-02-03T03:00:18Z https://community.splunk.com/t5/Splunk-Search/IPv6-subnets-and-splunk-searchs/m-p/37527#M178649 <P>Splunk today is IPv4 subnet aware so that if you do a search with something like ip_address = 10.0.0.0/24 .. splunk knows to look for items 10.0.0.0 thru 10.0.0.255 ... NICE ! Now what about IPV6 ... I think the answer is No. my question is when or how can this be done </P> <P>example IPv6_ADDR = 2001:54FF::/48 would look for a whole lot of stuff but something like 2001:54FF:: to 2001:54FF:0000:FFFF:FFFF</P> <P>And this gets instresting as you can show the first part of the IPV6 address as 2001:54FF:0000:0000 or 2001:54ff:: or 2001:54ff:0000::</P> <P>It depends on what the system sending the log spits out ...</P> Thu, 03 Feb 2011 03:00:18 GMT https://community.splunk.com/t5/Splunk-Search/IPv6-subnets-and-splunk-searchs/m-p/37527#M178649 g_prez 2011-02-03T03:00:18Z https://community.splunk.com/t5/Splunk-Search/IPv6-subnets-and-splunk-searchs/m-p/37528#M178650 <P>opps was a bit off this FFFF:FFFF in the that post that address should be 2001:54FF:0000:ffff:ffff:ffff:ffff:ffff<BR /> got tired of typing ffff I guess.</P> Thu, 03 Feb 2011 08:22:15 GMT https://community.splunk.com/t5/Splunk-Search/IPv6-subnets-and-splunk-searchs/m-p/37528#M178650 g_prez 2011-02-03T08:22:15Z https://community.splunk.com/t5/Splunk-Search/IPv6-subnets-and-splunk-searchs/m-p/37529#M178651 <P>This search shows the problem.</P> <P>| stats count | eval ips="2001:54FF:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF::/48</P> <P>Splunk currently does not support ipv6 CIDR searching.</P> <P>BUT, because you are searching for a /48, these both work:</P> <P>| stats count | eval ips="2001:54FF:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF:*</P> <P>| stats count | eval ips="2001:54ff:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF:*</P> <P>As you can see, the capitalization does not matter.</P> Thu, 16 Apr 2015 10:59:57 GMT https://community.splunk.com/t5/Splunk-Search/IPv6-subnets-and-splunk-searchs/m-p/37529#M178651 bshuler_splunk 2015-04-16T10:59:57Z