topic Re: cidrmatch() returning no matches in Splunk Search

cidrmatch() returning no matches

splunknewby — Mon, 13 Jul 2015 01:18:16 GMT

I'm using cidrmatch() to determine whether a particular IP is on a local network, but when I query Splunk it returns nothing even though there are local IP addresses in the ingested data.

I'm running the following query:
index=main | stats count | eval ip=src_addr | eval network=if(cidrmatch("192.168.0.0/16",ip),"Local","Other") | stats count by ip, network

which returns no results, even though there are IP addresses in the 192.168.0.0/16 domain.

What could be the issue?

Could it be that the src_add field is saved a string. Is there a way for Splunk to save that as an IP address field?

Re: cidrmatch() returning no matches

HiroshiSatoh — Mon, 13 Jul 2015 01:44:06 GMT

index=main | stats count |・・・・
->Field is only to count.

Re: cidrmatch() returning no matches

MuS — Mon, 13 Jul 2015 02:17:00 GMT

Or maybe a bit more detailed: What @HiroshiSatoh means is, you will loose any fields after the stats count if you don't define them along side of the stats. So you will only have a field called count after the stats count remove it form your search and it should return results as long you have a field called src_addr 😉

Re: cidrmatch() returning no matches

splunknewby — Mon, 13 Jul 2015 02:20:04 GMT

Hey MuS, I tried that and got a few hits. Only I now see a few 192.168.x.x addresses being classified as "Other"?

Re: cidrmatch() returning no matches

MuS — Mon, 13 Jul 2015 02:39:12 GMT

could it be that you have some multivalue fields or the src_ip field is not always nummeric?

Re: cidrmatch() returning no matches

splunknewby — Mon, 13 Jul 2015 03:28:13 GMT

Ah! cheers, my address ingestion is doubling up for some reason. I used mvindexto grab the first entry and ran cidrmatch() with success.

Re: cidrmatch() returning no matches

MuS — Mon, 13 Jul 2015 03:29:45 GMT

You're welcome, feel free to upvote any useful answers 😉

Re: cidrmatch() returning no matches

splunknewby — Mon, 13 Jul 2015 03:32:43 GMT

Quick question, is there a away to filter for ipv6 addresses?

Re: cidrmatch() returning no matches

MuS — Mon, 13 Jul 2015 03:40:19 GMT

Sure, for example to use the cidrmatch() for 2001:0000:1234:1234:1234:1fff:2eee:3ddd address, you can just do something like this:

........... | eval network=if(cidrmatch("2001:0000::/32",clientip), "local", "other")

Re: cidrmatch() returning no matches

splunknewby — Tue, 14 Jul 2015 22:47:58 GMT

Hey Mus, is there a way to capture all private ipv6 addresses?