| makeresults
| eval ip="10.3.3.28/24"
| lookup local=t ipcalclookup Address as ip OUTPUT Network Prefix
| eval netaddr=Network."/".Prefix
Hi, not found any built-in function, so back to network theory and maths..sorry it's ugly !
***NET_id* NET_mask => NET_net**
10.140.229.2 255.255.255.0 => 10.140.229.0
10.140.85.10 255.255.252.0 => 10.140.84.0
[.. Search ...]
| stats values(VLAN_name) as VLAN_name values(NET_id) as NET_id values(NET_mask) as NET_mask by ansible_host VLAN_id | eval octet = split(NET_id, ".")
| eval rank = split("1,2,3,4", ",")
| eval octet_rank = mvzip(rank, octet)
| mvexpand octet_rank
| eval octet_rank_split = split(octet_rank, ",")
| eval rank = mvindex(octet_rank_split, 0)
| eval octet = mvindex(octet_rank_split, 1)
| eval power = mvrange(0,8)
| mvexpand power
| eval base2 = pow(2, power)
| eval mydiv = floor(octet / base2)
| eval octet_bin = mydiv % 2
| stats list(octet_bin) as octet_bin by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask, rank, octet
| eval octet_bin = mvjoin(octet_bin, "")
| sort limit=0 NET_id, rank
| stats list(octet_bin) as octet_bin_ip by ansible_host VLAN_id, VLAN_name, NET_mask, NET_id
| eval octet_bin_ip = mvjoin(octet_bin_ip, "")
| eval octet = split(NET_mask, ".")
| eval rank = split("1,2,3,4", ",")
| eval octet_rank = mvzip(rank, octet)
| mvexpand octet_rank
| eval octet_rank_split = split(octet_rank, ",")
| eval rank = mvindex(octet_rank_split, 0)
| eval octet = mvindex(octet_rank_split, 1)
| eval power = mvrange(0,8)
| mvexpand power
| eval base2 = pow(2, power)
| eval mydiv = floor(octet / base2)
| eval octet_bin = mydiv % 2
| stats list(octet_bin) as octet_bin by ansible_host VLAN_id, VLAN_name, NET_mask, NET_id, octet_bin_ip, rank, octet
| eval octet_bin = mvjoin(octet_bin, "")
| sort limit=0 NET_id, rank
| stats list(octet_bin) as octet_bin_mask by ansible_host VLAN_id, VLAN_name, NET_id,octet_bin_ip, NET_mask
| eval octet_bin_mask = mvjoin(octet_bin_mask, "")
| eval rank = split("1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 ", ",")
| eval octet_bit_ip = split(octet_bin_ip, "") | eval octet_bit_mask = split(octet_bin_mask, "")
| eval bit_rank = mvzip(rank, octet_bit_ip)
| eval bit_rank = mvzip(bit_rank, octet_bit_mask)
| mvexpand bit_rank
| eval bit_rank_split = split(bit_rank, ",")
| eval rank = mvindex(bit_rank_split, 0)
| eval bit_ip = mvindex(bit_rank_split, 1)
| eval bit_mask = mvindex(bit_rank_split, 2)
| eval bit_net=if(bit_mask == 1, bit_ip, bit_mask)
| fields + ansible_host VLAN_id VLAN_name NET_id NET_mask bit_net rank
| eval rank=rank-1| eval rank_oct=(rank)/8
| eval rank_oct2=rank-floor(rank_oct%8)*8
| eval oct_dec=pow(2,rank_oct2)*bit_net
| eval rank_oct=floor(rank_oct)+1
| stats sum(oct_dec) as oct_dec by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask, rank_oct
| stats list(oct_dec) as oct_dec by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask
| eval NET_net=mvjoin(oct_dec, ".")
| fields - oct_dec
Look at the cidrmatch functionality. The cidrmatch function for eval can be found here:
http://docs.splunk.com/Documentation/Splunk/6.0.8/SearchReference/CommonEvalFunctions
Thanks. Well the problem is that:
We have two subnets in our lookup file.
10.2.2.0/24
10.2.0.0/16
Now if we don't provide subnetmask 10.2.2.25 can match to any of these. I need a Splunk function that is given 10.2.2.25/24 and returns 10.2.2.0/24
or
10.2.2.25/16 to reply with 10.2.0.0/16
I had this same issue and eventually used a lookup table for decimal (0-255) to Binary conversion. I called my lookup table Decimal_To_Binary with fields Decimal/Binary. I used MyIPNet to hold the static IPv4/netmask you want to convert. In general, this will be your input field.
<main search>
| eval MyIPNet="10.162.241.94/28"
| eval MyIP=mvindex(split(MyIPNet,"/"),0)
| eval MyNetMask=mvindex(split(MyIPNet,"/"),1)
| eval MyIPSplit=split(MyIP,".")
| eval IPPadding="00000000000000000000000000000000"
| eval Octet1=mvindex(MyIPSplit,0), Octet2=mvindex(MyIPSplit,1),Octet3=mvindex(MyIPSplit,2),Octet4=mvindex(MyIPSplit,3)
| lookup Decimal_To_Binary Decimal AS Octet1 OUTPUT Binary AS OutOctet1
| lookup Decimal_To_Binary Decimal AS Octet2 OUTPUT Binary AS OutOctet2
| lookup Decimal_To_Binary Decimal AS Octet3 OUTPUT Binary AS OutOctet3
| lookup Decimal_To_Binary Decimal AS Octet4 OUTPUT Binary AS OutOctet4
| eval BinaryIP=printf("%08d",OutOctet1)+printf("%08d",OutOctet2)+printf("%08d",OutOctet3)+printf("%08d",OutOctet4)
| eval SubnetBinary=substr(substr(BinaryIP, 1, MyNetMask).IPPadding, 1, 32)
| eval IPSubNet=tonumber(substr(SubnetBinary,1,8),2).".".tonumber(substr(SubnetBinary,9,8),2).".".tonumber(substr(SubnetBinary,17,8),2).".".tonumber(substr(SubnetBinary,25,8),2)."/".MyNetMask
@nabeel652 You can do this with SPL easily.
Hi Folks,
I have same query like is it possible that I can get the subnet mask and gateway for any IP address in splunksearch?
Can you verify question once.
Are you trying to get subnet/subnet mask for range of ips ( when you input first and last ip)?
Netmasks (or subnet masks) are a shorthand for referring to ranges of consecutive IP addresses in the Internet Protocol.
Hi
as there is no mandatory address for gw in subnet that information, You couldn't get it without that it's stored to your events.
Quite often GW's address is first or last usable ip on subnet, but that's mostly a best practises not mandatory.
r. Ismo