topic Re: Is it possible to do a CIDR match in a tstats where clause? in Splunk Search https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252372#M75513 <P>if you're satisfied of the answer, please, accept the answer.<BR /> Bye.<BR /> Giuseppe</P> Fri, 09 Sep 2016 11:06:50 GMT gcusello 2016-09-09T11:06:50Z Is it possible to do a CIDR match in a tstats where clause? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252370#M75511 <P>Is it possible to match IP address range in tstats where clause? </P> <P>Example: <BR /> It's possible to do this with search+stats: </P> <PRE><CODE>index=test IP="10.1.1.0/25" | stats count by IP </CODE></PRE> <P>But since we have IP extracted at index time, I'd rather take advantage of tstats performance and run something like </P> <PRE><CODE>| tstats count where index=test IP="10.1.1.0/25" by IP </CODE></PRE> <P>but that doesn't work as expected - tstats matches any IP as if the filter was IP="*" <BR /> Ideas?</P> Mon, 11 Jul 2016 22:25:11 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252370#M75511 IgorB 2016-07-11T22:25:11Z Re: Is it possible to do a CIDR match in a tstats where clause? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252371#M75512 <P>I think that you already used the tscollect (eg.g. in test_stats) command before use tstats, something like this</P> <PRE><CODE> index=test earliest=-30d latest=now | table _time IP field1 field2 field3 ... | tscollect test_stats </CODE></PRE> <P>so the command could be:</P> <PRE><CODE> | tstats count FROM tests_stats GROUPBY IP </CODE></PRE> <P>Bye.<BR /> Giuseppe</P> Tue, 12 Jul 2016 07:02:37 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252371#M75512 gcusello 2016-07-12T07:02:37Z Re: Is it possible to do a CIDR match in a tstats where clause? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252372#M75513 <P>if you're satisfied of the answer, please, accept the answer.<BR /> Bye.<BR /> Giuseppe</P> Fri, 09 Sep 2016 11:06:50 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252372#M75513 gcusello 2016-09-09T11:06:50Z Re: Is it possible to do a CIDR match in a tstats where clause? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252373#M75514 <P>I downvoted this post because: <BR /> Sorry, can't accept. your reply doesn't answer my question:<BR /> 1. your assumption that I've used '| tscollect' is incorrect<BR /> 2. '| tstats ... ' you proposed misses the point of returning only ips in a specific range</P> Mon, 12 Sep 2016 14:48:35 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252373#M75514 IgorB 2016-09-12T14:48:35Z Re: Is it possible to do a CIDR match in a tstats where clause? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252374#M75515 <P>tstats is not CIDR aware for where clauses. Sorry <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span></P> Wed, 21 Dec 2016 15:45:24 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252374#M75515 dshpritz 2016-12-21T15:45:24Z Re: Is it possible to do a CIDR match in a tstats where clause? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252375#M75516 <P>Actually, natural CIDR filters work in <CODE>tstats</CODE>.</P> <P>Like this:</P> <PRE><CODE>| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8" </CODE></PRE> <P>And this:</P> <PRE><CODE>| tstats count WHERE index=* AND host="10.0.0.0/8" </CODE></PRE> <P>This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*</P> Tue, 25 Jun 2019 17:39:15 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252375#M75516 woodcock 2019-06-25T17:39:15Z Re: Is it possible to do a CIDR match in a tstats where clause? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252376#M75517 <P>Apparently this is no longer true in Splunk v.7.x. <BR /> Thanks to @woodcock for pointing this out</P> Tue, 25 Jun 2019 19:17:02 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/252376#M75517 IgorB 2019-06-25T19:17:02Z Re: Is it possible to do a CIDR match in a tstats where clause? https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/517666#M145583 <P>Is the negative form suppose to work as well?&nbsp;</P><P>&nbsp;</P><P>For example:</P><PRE>| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src!="10.0.0.0/8"</PRE><P>&nbsp;</P> Thu, 03 Sep 2020 08:28:58 GMT https://community.splunk.com/t5/Splunk-Search/Is-it-possible-to-do-a-CIDR-match-in-a-tstats-where-clause/m-p/517666#M145583 astatrial 2020-09-03T08:28:58Z