https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227498#M67192 <P>I think it is, as I use it in the Cisco security app without an issue. The logs that have this data, are the same that I use to feed that app, just was trying to do it in the main search app, to create a dashboard for the boss.</P> <P>Going to try something else, omitting the SRC IP, and see if it will give me that as a stats.</P> Fri, 29 Apr 2016 11:42:27 GMT bworrellZP 2016-04-29T11:42:27Z https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227493#M67187 <P>So I did a search by one IP in this range, and I get matches. My thought was to try searching for any IP in the whole range that matched this criteria, but then I get nothing, not even the IP that I know matches. Am I using the wrong format for searching?</P> <PRE><CODE>index=* scr_ip=10.0.0.0/16 web_app=YouTube </CODE></PRE> Thu, 28 Apr 2016 19:12:55 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227493#M67187 bworrellZP 2016-04-28T19:12:55Z https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227494#M67188 <P>try some thing like this, </P> <P>index= wep_app=YouTube src_ip="10.0.0.*" OR src_id="known ip" OR src_id="known ip2" ....</P> Tue, 29 Sep 2020 09:34:43 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227494#M67188 vasanthmss 2020-09-29T09:34:43Z https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227495#M67189 <P>Your syntax is right. <BR /> Have you tried searching the whole 10.<EM>.</EM>.* range by using /8 instead of /16?</P> <PRE><CODE>index=* scr_ip=10.0.0.0/8 web_app=YouTube </CODE></PRE> Thu, 28 Apr 2016 19:49:08 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227495#M67189 javiergn 2016-04-28T19:49:08Z https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227496#M67190 <P>Tried with the /8 as well. tried going down to the class C where I know the IP is, and get nada. But when I search by the one actual IP, I get data</P> Fri, 29 Apr 2016 11:23:14 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227496#M67190 bworrellZP 2016-04-29T11:23:14Z https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227497#M67191 <P>Grr. That's weird.<BR /> See this post here:</P> <P><A href="https://answers.splunk.com/answers/23554/cidr-match.html">https://answers.splunk.com/answers/23554/cidr-match.html</A></P> <P>I've used that notation hundreds of times.<BR /> Is your src_ip being extracted correctly?</P> Fri, 29 Apr 2016 11:32:41 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227497#M67191 javiergn 2016-04-29T11:32:41Z https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227498#M67192 <P>I think it is, as I use it in the Cisco security app without an issue. The logs that have this data, are the same that I use to feed that app, just was trying to do it in the main search app, to create a dashboard for the boss.</P> <P>Going to try something else, omitting the SRC IP, and see if it will give me that as a stats.</P> Fri, 29 Apr 2016 11:42:27 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227498#M67192 bworrellZP 2016-04-29T11:42:27Z https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227499#M67193 <P>So in testing, seems the webapp field was causing a conflict (comes from the IPS events in the ASA), changing from that to youtube.com, solved the issue. got the results I was expecting. Could be a bug in that app, will check with Cisco to be sure. </P> <P>thanks for your help.</P> Fri, 29 Apr 2016 12:08:17 GMT https://community.splunk.com/t5/Splunk-Search/Trying-to-search-by-CIDR-but-getting-no-results/m-p/227499#M67193 bworrellZP 2016-04-29T12:08:17Z