https://community.splunk.com/t5/Splunk-Search/Convert-CIDR-Range-into-list-of-member-IPs/m-p/292901#M88423 <P>Given a list of CIDR ranges ... 10.198.68.132/30, 10.244.18.150/31, 10.48.37.96/24</P> <P>Is there a search that could extract the IPs in each range?</P> <P>| table cidr_range<BR /> | makemv delim="/" cidr_range<BR /> | eval IP = mvindex(cidr_range,0)<BR /> | eval MASK = mvindex(cidr_range, 1)<BR /> | eval IP_SCOPE = case(MASK = 32, IP,<BR /> MASK = 31, IP . ":" . IP,<BR /> MASK = 30, IP . ":" . IP . ":" . IP . ":" . IP)<BR /> | makemv delim=":" IP_SCOPE </P> <P>That's kind of the start, but I'm at a loss what to do next. ( and given a /24 .... that MASK assignment would look absolutely terrible. I'd need to take each multi-value field from IP_SCOPE, and increment by one the last octet, add 1 if it's not the first value then glue them back together. There must be an easier way. </P> Tue, 29 Sep 2020 14:44:10 GMT pkeller 2020-09-29T14:44:10Z https://community.splunk.com/t5/Splunk-Search/Convert-CIDR-Range-into-list-of-member-IPs/m-p/292901#M88423 <P>Given a list of CIDR ranges ... 10.198.68.132/30, 10.244.18.150/31, 10.48.37.96/24</P> <P>Is there a search that could extract the IPs in each range?</P> <P>| table cidr_range<BR /> | makemv delim="/" cidr_range<BR /> | eval IP = mvindex(cidr_range,0)<BR /> | eval MASK = mvindex(cidr_range, 1)<BR /> | eval IP_SCOPE = case(MASK = 32, IP,<BR /> MASK = 31, IP . ":" . IP,<BR /> MASK = 30, IP . ":" . IP . ":" . IP . ":" . IP)<BR /> | makemv delim=":" IP_SCOPE </P> <P>That's kind of the start, but I'm at a loss what to do next. ( and given a /24 .... that MASK assignment would look absolutely terrible. I'd need to take each multi-value field from IP_SCOPE, and increment by one the last octet, add 1 if it's not the first value then glue them back together. There must be an easier way. </P> Tue, 29 Sep 2020 14:44:10 GMT https://community.splunk.com/t5/Splunk-Search/Convert-CIDR-Range-into-list-of-member-IPs/m-p/292901#M88423 pkeller 2020-09-29T14:44:10Z https://community.splunk.com/t5/Splunk-Search/Convert-CIDR-Range-into-list-of-member-IPs/m-p/292902#M88424 <P>Hi,</P> <P>transforms.conf</P> <P>[testcsv]<BR /> default_match = OK<BR /> filename = testcsv.csv<BR /> max_matches = 1<BR /> min_matches = 1<BR /> match_type = CIDR(cidr_range)</P> <P>props.conf</P> <P>[sourcetypetest]<BR /> LOOKUP-test = testcsv cidr_range AS IP OUTPUTNEW field1 field2 etc</P> <P>I hope this help.</P> Tue, 29 Sep 2020 14:41:56 GMT https://community.splunk.com/t5/Splunk-Search/Convert-CIDR-Range-into-list-of-member-IPs/m-p/292902#M88424 sbbadri 2020-09-29T14:41:56Z https://community.splunk.com/t5/Splunk-Search/Convert-CIDR-Range-into-list-of-member-IPs/m-p/292903#M88425 <P>The following macro displays the wildcard string matches to a given CIDR:</P> <PRE><CODE>rex field=cidr "^(?&lt;ip_base&gt;[\d\.]{7,})\/(?&lt;ip_block&gt;\d{1,2})$" | rex field=ip_base "(?&lt;ip1&gt;\d+)\.(?&lt;ip2&gt;\d+)\.(?&lt;ip3&gt;\d+)" | eval ip2B=case(ip_block&lt;=8,"*",ip_block=16,ip2,ip_block=15,mvrange(ip2,ip2+2),ip_block=14,mvrange(ip2,ip2+4),ip_block=13,mvrange(ip2,ip2+8),ip_block=12,mvrange(ip2,ip2+16),ip_block=11,mvrange(ip2,ip2+32),ip_block=10,mvrange(ip2,ip2+64),ip_block=9,mvrange(ip2,ip2+128),1=1,ip2) | eval ip3B=case(ip_block&lt;=16,"*",ip_block=16,ip3,ip_block=23,mvrange(ip3,ip3+2),ip_block=22,mvrange(ip3,ip 3+4),ip_block=21,mvrange(ip3,ip3+8),ip_block=20,mvrange(ip3,ip3+16),ip_block=19,mvrange(ip3,ip3+32),ip_block=18,mvrange(ip3,ip3+64),ip_block=17,mvrange(ip3,ip3+128),1=1,ip3) | mvexpand ip2B | mvexpand ip3B | eval ip_wildcard=ip1.".".ip2B.".".ip3B.".*" | fields - ip1* ip2* ip3* cidr_wildcard </CODE></PRE> Mon, 20 Apr 2020 20:44:31 GMT https://community.splunk.com/t5/Splunk-Search/Convert-CIDR-Range-into-list-of-member-IPs/m-p/292903#M88425 landen99 2020-04-20T20:44:31Z