topic Re: Differentiate between public IP and private IP? in Splunk Search

Differentiate between public IP and private IP?

ferza — Fri, 13 Feb 2015 14:47:26 GMT

I have a search that goes such:

UNIQUESESSIONID connected to

What this does is outputs this from the log in the search results:

Feb 12 16:45:35 (browser/host name) (unique session IDs) RTP: Port (port number) connected to (public IP):(port number)

There are usually 2-4 lines/events in the log that have this similar "connected to" phrase, but only one of them will have a public IP. Which is the one I want. I actually really need everything from:

RTP: Port (port number) connected to (private IP):(port number)

But as mentioned, several of those events pop up, and the only difference is 2-3 will have private IPs that is always 10.x.x.x, the other events will have public IPs. Is there something I can put in my search query to have it only pull a private IP from the "connected to" phrase?

Re: Differentiate between public IP and private IP?

tpflicke — Fri, 13 Feb 2015 15:52:56 GMT

I am not sure if you want to return events with only public or only private IP addresses.
How about

index=<someindex> source=<somesource>  " connected to 10\."

to only get the private ones or

index=<something>  source=<somesource> "connected to " NOT "connected to 10\."

to get the public ones.
This will only look consider 10.x.x.x as private (not other ranges like 192.168.x.x etc) which might be sufficient for what you want. This should also be quick as it's filtering on the indexer.

Re: Differentiate between public IP and private IP?

ferza — Fri, 13 Feb 2015 15:58:12 GMT

That worked perfectly! Thank you! And yeah I just wanted the public IPs.