topic Re: How to write a search to find if a field contains a valid IPv4 or IPv6 address? in Splunk Search

How to write a search to find if a field contains a valid IPv4 or IPv6 address?

hcastell — Fri, 17 Oct 2014 20:40:02 GMT

Hi all, as a splunk newbie I'm not sure what direction to go with the following. Basically I have two Interesting fields, one contains an IPv4 address and the other contains an IPv6 address. Sometime though these fields contain 0.0.0.0 for IPv4 and :: for IPv6. What I need is a search string that allows me to test these two fields to make sure they have valid addresses. I know how to test for 0.0.0.0 or :: but want to test that a valid address exists. Later I will have to verify that the address is correct based on values in other interesting fields (example: user is in building 1, IP address must be x.x.x.y etc..). I see lots of examples of how to extract addresses but in my case I don't need to extract anything as the value exists in an interesting field. Hope my question is clear. Appreciate any guidance offered.

Re: How to write a search to find if a field contains a valid IPv4 or IPv6 address?

martin_mueller — Fri, 17 Oct 2014 23:05:27 GMT

You can verify IPv4 addresses like this (assuming field name is ipv4😞

... | eval ipv4_valid = if(match(ipv4, "^((25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.){3}(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$"), "valid", "invalid")

And IPv6 like this:

... | eval ipv6_valid = if(match(ipv6, "^(([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:)|fe80:(:[0-9a-fA-F]{0,4}){0,4}%[0-9a-zA-Z]{1,}|::(ffff(:0{1,4}){0,1}:){0,1}((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9])|([0-9a-fA-F]{1,4}:){1,4}:((25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]).){3,3}(25[0-5]|(2[0-4]|1{0,1}[0-9]){0,1}[0-9]))$"), "valid", "invalid")

The IPv6 regex has been shamelessly stolen from http://stackoverflow.com/a/17871737 🙂

It'd probably be a good idea to plonk these things into a macro.

Re: How to write a search to find if a field contains a valid IPv4 or IPv6 address?

hcastell — Fri, 17 Oct 2014 23:43:24 GMT

Thanks Martin. This helps a lot. Will research creating a macro for these as you suggest.

Re: How to write a search to find if a field contains a valid IPv4 or IPv6 address?

martin_mueller — Sat, 18 Oct 2014 15:26:46 GMT

Doesn't take a lot of research - Go to Settings -> Advanced Search -> Macros -> New -> Give it a name and paste the content -> set permissions to "global" and "Everyone" -> use in a search like this:

... | eval ipv6_valid = if(match(ipv6, `your_ipv6_regex_macro`)) | ...

Re: How to write a search to find if a field contains a valid IPv4 or IPv6 address?

hcastell — Mon, 20 Oct 2014 00:57:29 GMT

Thanks. Had not done a Macro before before so this is very helpful.

Re: How to write a search to find if a field contains a valid IPv4 or IPv6 address?

tfujita_splunk — Sun, 22 Dec 2024 23:12:24 GMT

I created a Splunk Macros for regular expressions for IPv4 and IPv6 addresses.

Definitions and usages are in an article below.
https://qiita.com/Joh256/private/659ef65897905890ef99

I also put them in an add-on below.
https://splunkbase.splunk.com/app/6595