Getting Data In
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Do we have a function or way to determine network address provided we have ip address and subnet mask?

nabeel652
Builder
‎07-10-2016 04:18 PM

Do we have a function or way to determine network address provided we have ip address and subnet mask?

For instance 10.3.3.28/24 ==> 10.3.3.0/24 as a simple example.

Labels (2)
Labels
0 Karma
Reply

tfujita_splunk
Splunk Employee
Splunk Employee
‎08-03-2023 12:54 PM
For converting to network address from ip address/mask or prefix,
I added the following external command lookup to the App below.
Usage:
| makeresults
| eval ip="10.3.3.28/24"
| lookup local=t ipcalclookup Address as ip OUTPUT Network Prefix
| eval netaddr=Network."/".Prefix
Input Address can also be in the following format.
* ip/netmask: e.g. 192.0.2.17/255.255.255.240
* ip/prefix: e.g. 192.0.2.17/28
* ipv6/prefix: e.g. 2001:db8:1234::1/64
 
Numeral system macros for Splunk
https://splunkbase.splunk.com/app/6595
0 Karma
Reply

mcantaloube
New Member
‎10-26-2018 07:10 AM

Hi, not found any built-in function, so back to network theory and maths..sorry it's ugly !

  • NET_id contains the IP
  • NET_mask contains the network mask
  • NET_net is the network deducted from IP & Netmask

***NET_id* NET_mask => NET_net**
10.140.229.2 255.255.255.0 => 10.140.229.0
10.140.85.10 255.255.252.0 => 10.140.84.0

[.. Search ...]
| stats values(VLAN_name) as VLAN_name values(NET_id) as NET_id values(NET_mask) as NET_mask by ansible_host VLAN_id | eval octet = split(NET_id, ".")
| eval rank = split("1,2,3,4", ",")
| eval octet_rank = mvzip(rank, octet)
| mvexpand octet_rank
| eval octet_rank_split = split(octet_rank, ",")
| eval rank = mvindex(octet_rank_split, 0)
| eval octet = mvindex(octet_rank_split, 1)
| eval power = mvrange(0,8)
| mvexpand power
| eval base2 = pow(2, power)
| eval mydiv = floor(octet / base2)
| eval octet_bin = mydiv % 2
| stats list(octet_bin) as octet_bin by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask, rank, octet
| eval octet_bin = mvjoin(octet_bin, "")
| sort limit=0 NET_id, rank
| stats list(octet_bin) as octet_bin_ip by ansible_host VLAN_id, VLAN_name, NET_mask, NET_id
| eval octet_bin_ip = mvjoin(octet_bin_ip, "")
| eval octet = split(NET_mask, ".")
| eval rank = split("1,2,3,4", ",")
| eval octet_rank = mvzip(rank, octet)
| mvexpand octet_rank
| eval octet_rank_split = split(octet_rank, ",")
| eval rank = mvindex(octet_rank_split, 0)
| eval octet = mvindex(octet_rank_split, 1)
| eval power = mvrange(0,8)
| mvexpand power
| eval base2 = pow(2, power)
| eval mydiv = floor(octet / base2)
| eval octet_bin = mydiv % 2
| stats list(octet_bin) as octet_bin by ansible_host VLAN_id, VLAN_name, NET_mask, NET_id, octet_bin_ip, rank, octet
| eval octet_bin = mvjoin(octet_bin, "")
| sort limit=0 NET_id, rank
| stats list(octet_bin) as octet_bin_mask by ansible_host VLAN_id, VLAN_name, NET_id,octet_bin_ip, NET_mask
| eval octet_bin_mask = mvjoin(octet_bin_mask, "")

| eval rank = split("1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 ", ",")
| eval octet_bit_ip = split(octet_bin_ip, "") | eval octet_bit_mask = split(octet_bin_mask, "")
| eval bit_rank = mvzip(rank, octet_bit_ip)
| eval bit_rank = mvzip(bit_rank, octet_bit_mask)
| mvexpand bit_rank

| eval bit_rank_split = split(bit_rank, ",")
| eval rank = mvindex(bit_rank_split, 0)
| eval bit_ip = mvindex(bit_rank_split, 1)

| eval bit_mask = mvindex(bit_rank_split, 2)
| eval bit_net=if(bit_mask == 1, bit_ip, bit_mask)
| fields + ansible_host VLAN_id VLAN_name NET_id NET_mask bit_net rank
| eval rank=rank-1| eval rank_oct=(rank)/8
| eval rank_oct2=rank-floor(rank_oct%8)*8
| eval oct_dec=pow(2,rank_oct2)*bit_net
| eval rank_oct=floor(rank_oct)+1
| stats sum(oct_dec) as oct_dec by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask, rank_oct
| stats list(oct_dec) as oct_dec by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask
| eval NET_net=mvjoin(oct_dec, ".")
| fields - oct_dec

0 Karma
Reply

cpetterborg
SplunkTrust
SplunkTrust
‎07-10-2016 06:33 PM

Look at the cidrmatch functionality. The cidrmatch function for eval can be found here:

http://docs.splunk.com/Documentation/Splunk/6.0.8/SearchReference/CommonEvalFunctions

0 Karma
Reply

nabeel652
Builder
‎07-10-2016 07:21 PM

Thanks. Well the problem is that:
We have two subnets in our lookup file.
10.2.2.0/24
10.2.0.0/16

Now if we don't provide subnetmask 10.2.2.25 can match to any of these. I need a Splunk function that is given 10.2.2.25/24 and returns 10.2.2.0/24
or
10.2.2.25/16 to reply with 10.2.0.0/16

0 Karma
Reply

gntani1981
Loves-to-Learn
‎12-17-2020 07:07 AM

I had this same issue and eventually used a lookup table for decimal (0-255) to Binary conversion. I called my lookup table Decimal_To_Binary with fields Decimal/Binary. I used MyIPNet to hold the static IPv4/netmask you want to convert. In general, this will be your input field.

<main search>

| eval MyIPNet="10.162.241.94/28"
| eval MyIP=mvindex(split(MyIPNet,"/"),0)
| eval MyNetMask=mvindex(split(MyIPNet,"/"),1)
| eval MyIPSplit=split(MyIP,".")
| eval IPPadding="00000000000000000000000000000000"
| eval Octet1=mvindex(MyIPSplit,0), Octet2=mvindex(MyIPSplit,1),Octet3=mvindex(MyIPSplit,2),Octet4=mvindex(MyIPSplit,3)
| lookup Decimal_To_Binary Decimal AS Octet1 OUTPUT Binary AS OutOctet1
| lookup Decimal_To_Binary Decimal AS Octet2 OUTPUT Binary AS OutOctet2
| lookup Decimal_To_Binary Decimal AS Octet3 OUTPUT Binary AS OutOctet3
| lookup Decimal_To_Binary Decimal AS Octet4 OUTPUT Binary AS OutOctet4
| eval BinaryIP=printf("%08d",OutOctet1)+printf("%08d",OutOctet2)+printf("%08d",OutOctet3)+printf("%08d",OutOctet4)
| eval SubnetBinary=substr(substr(BinaryIP, 1, MyNetMask).IPPadding, 1, 32)
| eval IPSubNet=tonumber(substr(SubnetBinary,1,8),2).".".tonumber(substr(SubnetBinary,9,8),2).".".tonumber(substr(SubnetBinary,17,8),2).".".tonumber(substr(SubnetBinary,25,8),2)."/".MyNetMask

 

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-09-2020 09:59 AM

@nabeel652 You can do this with SPL easily.

————————————
If this helps, give a like below.
0 Karma
Reply

Raghubansh
New Member
‎08-08-2020 11:37 PM

Hi Folks,

I have same query like is it possible that I can get the subnet mask and gateway for any IP address in splunksearch?

0 Karma
Reply

thambisetty
SplunkTrust
SplunkTrust
‎08-09-2020 09:55 AM

Can you verify question once.

Are you trying to get subnet/subnet mask for range of ips ( when you input first and last ip)?

Netmasks (or subnet masks) are a shorthand for referring to ranges of consecutive IP addresses in the Internet Protocol.

 

————————————
If this helps, give a like below.
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎08-09-2020 06:22 AM

Hi

as there is no mandatory address for gw in subnet that information, You couldn't get it without that it's stored to your events.

Quite often GW's address is first or last usable ip on subnet, but that's mostly a best practises not mandatory.

r. Ismo

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...