topic Re: Unable to write a query to check IP addresses in Subnets in Splunk Search

How to write a query to check IP addresses in Subnets?

POR160893 — Thu, 01 Jun 2023 12:50:57 GMT

Hi,

I am trying to establish a query that checks whether a random src IP is in a specific subnet.

However, all the subnets and IP addresses are in String format and I am unable to establish any mathematical relationship between the conditions.

Here is a part of my current query:

| inputlookup ABC.csv
| eval ip = 10.1.2.342

| eval AMERICAS =if(ip >= 10.0.0.1 OR ip <= 10.63.255.254,"NOK","OK")

| table AMERICAS

Can you please help?

Many thanks as always,

Re: Unable to write a query to check IP addresses in Subnets

ITWhisperer — Thu, 01 Jun 2023 10:30:32 GMT

If your subnets are in CIDR format, you can use the cidrmatch() function

Re: Unable to write a query to check IP addresses in Subnets

isoutamo — Thu, 01 Jun 2023 12:45:23 GMT

I expecting that your ip is like "10.1.2.34" not "10.1.2.342" and you have e.g. subnets 10.0.0.0 - 10.63.255.255 defined for America. Then you can check it like

| eval ip = "10.1.2.34", subnet = "10.0.0.0/10" | eval AMERICAS = if (cidrmatch(subnet,ip), "OK", "NOK")

If your subnets are not exactly dived by suitable masks, you need to add needed smaller subnets and combine this if with several OR clauses.

r. Ismo