We are searching new environments monthly this means we are blind going in. I can get Splunk to stat out a total list of ips, but i'm not sure how to get it to find all the VLANs. Here is an example search.
sourcetype="bro_conn" src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 | stats count by src_ip | table src_ip
It gives me a list of Private ip addresses in the Bro Conn log. I would like to see all the VLANS that these ips reside on.
for example lets say my search returned:
i would like to no that 5 total subnets maybe even list them out as
Would you mind posting some search examples that you have tried (anonymized, of course)? You'll have a better chance getting your question answered if our community has something to go on.
Thanks for posting!
When using this search i get the desired output but it seems like alot more work then it should be. Are there easier ways to do this?
sourcetype="bro_conn" src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 | stats count by src_ip | table src_ip | eval temp=split(src_ip,".") | eval oct1=mvindex(temp,0) | eval oct2=mvindex(temp,1) | eval oct3=mvindex(temp,2) | stats count by oct1,oct2,oct3 | eval VLANS=oct1.".".oct2.".".oct3 | table VLANS, count | rename count as "Devices on VLAN"
Try below query with
sourcetype="bro_conn" src_ip=192.168.0.0/16 OR src_ip=172.16.0.0/12 OR src_ip=10.0.0.0/8 | stats count AS Devices_on_VLAN by src_ip | rex field=src_ip "^(?<VLANS>.*)\." | table VLANS, Devices_on_VLAN
Below is run anywhere search which is producing desired output based on your requirement
| makeresults | eval src_ip="192.168.0.123" | append [ | makeresults | eval src_ip="10.10.0.8" ] | rex field=src_ip "^(?<VLANS>.*)\."
I hope this helps.
How can you get a list of VLANs, when all you have to go on, is a list of IP addresses? That is simply impossible.
Firstly, because a VLAN is something rather different than a subnet, you seem to mixing the two concepts?
Secondly, because subnets can have arbitrary size (classes only exist in ancient networking textbooks, not in reality). So given just an IP address, it is impossible to determine the subnet it is in.
I totally agree with @FrankVI, solution which I have provided that is simple solution to extract IP address till 3rd decimal point but not actual VLAN.