topic Re: Grouping IP subnet and also show the IPs that it has grouped in Splunk Search

Grouping IP subnet and also show the IPs that it has grouped

anlePRH — Wed, 04 Jun 2025 14:43:42 GMT

I currently have this to group IPs into subnets and list the counts, I want it to also show the IP it has listed aswell

| rex field=SourceIP "(?<Subnet>\d+\.\d+\.\d+\.*)"

example

Subnet Count IPs

1.1.1 20 1.1.1.1, 1.1.1.2,1.1.1.3

How do I create another field or use the existing field to show what it has grouped?

Re: Grouping IP subnet and also show the IPs that it has grouped

richgalloway — Wed, 04 Jun 2025 15:22:59 GMT

It would be helpful to know what you've tried already and those efforts failed to meet expectations.

Perhaps this will help.

| rex field=SourceIP "(?<Subnet>\d+\.\d+\.\d+\.*)" | stats count as Count, values(SourceIP) as IPs by Subnet

Re: Grouping IP subnet and also show the IPs that it has grouped

livehybrid — Wed, 04 Jun 2025 16:15:30 GMT

Hi @anlePRH

Are you already producing the table you shared in your original post, or is that what you are wanting to get to?

You should be able to use the following after your REX:

| stats list(SourceIP) as IPs, count as Count by Subnet

🌟 Did this answer help you? If so, please consider:

Adding karma to show it was useful
Marking it as the solution if it resolved your issue
Commenting if you need any clarification

Your feedback encourages the volunteers in this community to continue contributing

Re: Grouping IP subnet and also show the IPs that it has grouped

PickleRick — Thu, 05 Jun 2025 10:30:55 GMT

In this case values(SourceIP) might be more desirable than list(SourceIP). The former will show unique values while the latter will show a list of fields, however many times they appear.