Archive

IPv6 subnets and splunk searchs

g_prez
Path Finder

Splunk today is IPv4 subnet aware so that if you do a search with something like ip_address = 10.0.0.0/24 .. splunk knows to look for items 10.0.0.0 thru 10.0.0.255 ... NICE ! Now what about IPV6 ... I think the answer is No. my question is when or how can this be done

example IPv6_ADDR = 2001:54FF::/48 would look for a whole lot of stuff but something like 2001:54FF:: to 2001:54FF:0000:FFFF:FFFF

And this gets instresting as you can show the first part of the IPV6 address as 2001:54FF:0000:0000 or 2001:54ff:: or 2001:54ff:0000::

It depends on what the system sending the log spits out ...

Tags (1)

bshuler_splunk
Splunk Employee
Splunk Employee

This search shows the problem.

| stats count | eval ips="2001:54FF:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF::/48

Splunk currently does not support ipv6 CIDR searching.

BUT, because you are searching for a /48, these both work:

| stats count | eval ips="2001:54FF:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF:*

| stats count | eval ips="2001:54ff:0000:ffff:ffff:ffff:ffff:ffff,2002:54FF:0000:ffff:ffff:ffff:ffff:ffff,2003:54FF:0000:ffff:ffff:ffff:ffff:ffff" | rex field=ips "(?P[^,]+)" max_match=0 | mvexpand ip | table ip | search ip=2001:54FF:*

As you can see, the capitalization does not matter.

0 Karma

g_prez
Path Finder

opps was a bit off this FFFF:FFFF in the that post that address should be 2001:54FF:0000:ffff:ffff:ffff:ffff:ffff
got tired of typing ffff I guess.

0 Karma