https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24555#M4546 <P>If there are a limited number of subnets that you want to count, you could do it this way</P> <PRE><CODE>yoursearchhere | eval subnet="no match" | eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3", cidrmatch("10.10.17.0/24",ip),"10.10.17") | stats count by subnet </CODE></PRE> <P>This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.</P> <P>If you want to simply count by the first 3 octets, you could do it this way:</P> <PRE><CODE>yoursearchhere | rex field=ip "(?&lt;subnet&gt;\d+\.\d+\.\d+)\.\d+" | stats count by subnet </CODE></PRE> Sun, 05 Aug 2012 02:16:19 GMT lguinn2 2012-08-05T02:16:19Z https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24554#M4545 <P>I'm trying to group IP address results in CIDR format. Most likely I'll be grouping in /24 ranges. Is there an easy way to do this? Maybe some regex?</P> <P>For example, if I have two IP addresses like 10.10.3.5 and 10.10.3.50 I want them to be counted in the 10.10.3.0/24 range, and then see how many IP's are in each range.</P> Thu, 02 Aug 2012 18:40:00 GMT https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24554#M4545 jevenson 2012-08-02T18:40:00Z https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24555#M4546 <P>If there are a limited number of subnets that you want to count, you could do it this way</P> <PRE><CODE>yoursearchhere | eval subnet="no match" | eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3", cidrmatch("10.10.17.0/24",ip),"10.10.17") | stats count by subnet </CODE></PRE> <P>This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.</P> <P>If you want to simply count by the first 3 octets, you could do it this way:</P> <PRE><CODE>yoursearchhere | rex field=ip "(?&lt;subnet&gt;\d+\.\d+\.\d+)\.\d+" | stats count by subnet </CODE></PRE> Sun, 05 Aug 2012 02:16:19 GMT https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24555#M4546 lguinn2 2012-08-05T02:16:19Z https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24556#M4547 <P>That second regex search worked great, thanks!</P> Wed, 08 Aug 2012 16:22:01 GMT https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24556#M4547 jevenson 2012-08-08T16:22:01Z https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24557#M4548 <P>I believe there is a minor typo in the first example. In the second line of the Case clause, the period should be a comma:</P> <P><CODE><BR /> yoursearchhere<BR /> | eval subnet="no match"<BR /> | eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",<BR /> cidrmatch("10.10.17.0/24",ip),"10.10.17")<BR /> | stats count by subnet<BR /> </CODE></P> Fri, 04 Jan 2013 18:09:29 GMT https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24557#M4548 anewell 2013-01-04T18:09:29Z https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24558#M4549 <PRE><CODE>REGEX IP ADDRESS \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} REGEX RFC1918 IP ADDRESS (192\.168\.)\d{1,3}\.\d{1,3}|(10\.)\d{1,3}\.\d{1,3}\.\d{1,3}|(172\.1[6-9]\.)\d{1,3}\.\d{1,3}|(172\.2[0-9]\.)\d{1,3}\.\d{1,3}|(172\.3[0-1]\.)\d{1,3}\.\d{1,3} REGEX NON-RFC1918 IP ADDRESS \d{1,3}(?&lt;!10|255)\.\d{1,3}\.\d{1,3}\.\d{1,3} |\d{1,3}\.\d{1,3}(?&lt;!192\.168|255\.255)\.\d{1,3}\.\d{1,3} </CODE></PRE> Mon, 11 Apr 2016 18:45:12 GMT https://community.splunk.com/t5/Splunk-Search/Group-IP-addresses-in-CIDR-format/m-p/24558#M4549 jcoates_splunk 2016-04-11T18:45:12Z