topic Re: How to Search Range for Grouped IP in Splunk Search

How to Search Range for Grouped IP

Akmal57 — Mon, 21 Aug 2023 04:39:22 GMT

Hi,

I have created table with host and grouped IP address the host will have public and private IP address

So my table look like this

Host IP id

Host A 10.1.1.1 21

172.1.1.1

i have ip range to identify the public ip.

i need to create another field which if the range is match mean the result will be yes if not no

i have used this query for the field

| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP) , "Yes" , 1=1, "No")

but this eval only work on field which have 1 IP.

in my group ip field, its not working.

Please assist on this.

Thank you

Re: How to Search Range for Grouped IP

ITWhisperer — Mon, 21 Aug 2023 05:40:18 GMT

By group field, I assume you are referring to a multi-value field? If so, you could expand your events by the multi-value field so that each part can be evaluated separately

| mvexpand IP

Re: How to Search Range for Grouped IP

Akmal57 — Mon, 21 Aug 2023 07:06:26 GMT

ok, thank you for you reply. but if using mvexpand, the ip will splited by host.

is there any work around to not split the host?

if i split the ip for example like

host ip1 ip2

is there any query that can detect the internet facing by search across all the ip field

Re: How to Search Range for Grouped IP

ITWhisperer — Mon, 21 Aug 2023 07:11:32 GMT

What do you mean split by host? Perhaps if you share what your events actually look like (anonymised of course), we might be able to figure out what it is you are trying to do.

Re: How to Search Range for Grouped IP

Akmal57 — Mon, 21 Aug 2023 07:33:42 GMT

if using mvexpand, my result is like this:

Host IP Internet Facing

Host A 10.1.1.1 No

Host A 172. 1.1.1 Yes

for the ip field, i have combined from 2 sources

my table should look like this:

Host IP Internet Facing

Host A 10.1.1.1 Yes

172. 1.1.1

Below is my sample query

index=a or sourcetype=b
|eval ip=mvappend(IP1, IP2)

|stats value(ip) as ip by host

| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP) , "Yes" , 1=1, "No")

I need the result to look like the second example table above, which does not splitting the host.

Re: How to Search Range for Grouped IP

ITWhisperer — Mon, 21 Aug 2023 07:54:48 GMT

If you already have two fields with the IP addresses, you can compare them prior to the mvappend

index=a or sourcetype=b | eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP1) , "Yes" , cidrmatch(172.1.1.0/24" , IP2) , "Yes" , 1==1, "No") | eval ip=mvappend(IP1, IP2) | fields - IP1 IP2

Re: How to Search Range for Grouped IP

Akmal57 — Mon, 21 Aug 2023 08:04:40 GMT

Owh, thank you very much. it work perfectly as needed.