topic Re: find logs for IP Address in Splunk Search

find logs for IP Address

hyahmadi — Tue, 17 Jun 2014 11:45:02 GMT

hello,
I want to search proxy logs for 2 different area of ip address ?
(like from x.x.x.x to y.y.y.y and from x1.x2.x3.x4 to y1.y2.y3.y4)
Any help is appreciated
thanks

Re: find logs for IP Address

alterdego — Tue, 17 Jun 2014 12:02:20 GMT

The way you have posed the question implies that you are looking for two sets of contiguous IP space.
If true you can use an ORed CIDR notation for your search.
Example: field=10.0.0.0/8 OR field=172.16.0.0/12

Or did I misunderstand the questions?

Re: find logs for IP Address

pmdba — Tue, 17 Jun 2014 12:22:01 GMT

I would use the cidrmatch function, assuming an index of "proxy" and an IP address field of "ip_address":

index=proxy | eval isRange1=if(cidrmatch("x.x.x.x/a",ip_address),"true","false") eval isRange2=if(cidrmatch("x1.x2.x3.x4/b",ip_address),"true","false") | search (isRange1=true OR isRange2=true)

Where "a" and "b" and the appropriate CIDR masks (use a network calculator to generate them accurately) to limit your IP ranges, like so:

index=proxy | eval isRange1=if(cidrmatch("192.168.1.0/24",ip_address),"true","false") eval isRange2=if(cidrmatch("172.16.0.0/16",ip_address),"true","false") | search (isRange1=true OR isRange2=true)

Re: find logs for IP Address

hyahmadi — Tue, 17 Jun 2014 12:23:03 GMT

clarification
I have to extract proxy logs with the following fields(UrlDestHost,ClientIP,Protocol,rules...)
for our partner users in France and Germany.