Getting Data In

Providing IPAddress and Subnet Mask and getting corresponding Network Address

Builder

Do we have a function or way to determine network address provided we have ip address and subnet mask?

For instance 10.3.3.28/24 ==> 10.3.3.0/24 as a simple example.

0 Karma

New Member

Hi, not found any built-in function, so back to network theory and maths..sorry it's ugly !

  • NET_id contains the IP
  • NET_mask contains the network mask
  • NET_net is the network deducted from IP & Netmask

***NET_id* NET_mask => NET_net**
10.140.229.2 255.255.255.0 => 10.140.229.0
10.140.85.10 255.255.252.0 => 10.140.84.0


[.. Search ...]
| stats values(VLAN_name) as VLAN_name values(NET_id) as NET_id values(NET_mask) as NET_mask by ansible_host VLAN_id | eval octet = split(NET_id, ".")
| eval rank = split("1,2,3,4", ",")
| eval octet_rank = mvzip(rank, octet)
| mvexpand octet_rank
| eval octet_rank_split = split(octet_rank, ",")
| eval rank = mvindex(octet_rank_split, 0)
| eval octet = mvindex(octet_rank_split, 1)
| eval power = mvrange(0,8)
| mvexpand power
| eval base2 = pow(2, power)
| eval mydiv = floor(octet / base2)
| eval octet_bin = mydiv % 2
| stats list(octet_bin) as octet_bin by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask, rank, octet
| eval octet_bin = mvjoin(octet_bin, "")
| sort limit=0 NET_id, rank
| stats list(octet_bin) as octet_bin_ip by ansible_host VLAN_id, VLAN_name, NET_mask, NET_id
| eval octet_bin_ip = mvjoin(octet_bin_ip, "")
| eval octet = split(NET_mask, ".")
| eval rank = split("1,2,3,4", ",")
| eval octet_rank = mvzip(rank, octet)
| mvexpand octet_rank
| eval octet_rank_split = split(octet_rank, ",")
| eval rank = mvindex(octet_rank_split, 0)
| eval octet = mvindex(octet_rank_split, 1)
| eval power = mvrange(0,8)
| mvexpand power
| eval base2 = pow(2, power)
| eval mydiv = floor(octet / base2)
| eval octet_bin = mydiv % 2
| stats list(octet_bin) as octet_bin by ansible_host VLAN_id, VLAN_name, NET_mask, NET_id, octet_bin_ip, rank, octet
| eval octet_bin = mvjoin(octet_bin, "")
| sort limit=0 NET_id, rank
| stats list(octet_bin) as octet_bin_mask by ansible_host VLAN_id, VLAN_name, NET_id,octet_bin_ip, NET_mask
| eval octet_bin_mask = mvjoin(octet_bin_mask, "")

| eval rank = split("1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 ", ",")
| eval octet_bit_ip = split(octet_bin_ip, "") | eval octet_bit_mask = split(octet_bin_mask, "")
| eval bit_rank = mvzip(rank, octet_bit_ip)
| eval bit_rank = mvzip(bit_rank, octet_bit_mask)
| mvexpand bit_rank

| eval bit_rank_split = split(bit_rank, ",")
| eval rank = mvindex(bit_rank_split, 0)
| eval bit_ip = mvindex(bit_rank_split, 1)

| eval bit_mask = mvindex(bit_rank_split, 2)
| eval bit_net=if(bit_mask == 1, bit_ip, bit_mask)
| fields + ansible_host VLAN_id VLAN_name NET_id NET_mask bit_net rank
| eval rank=rank-1| eval rank_oct=(rank)/8
| eval rank_oct2=rank-floor(rank_oct%8)*8
| eval oct_dec=pow(2,rank_oct2)*bit_net
| eval rank_oct=floor(rank_oct)+1
| stats sum(oct_dec) as oct_dec by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask, rank_oct
| stats list(oct_dec) as oct_dec by ansible_host VLAN_id, VLAN_name, NET_id, NET_mask
| eval NET_net=mvjoin(oct_dec, ".")
| fields - oct_dec

0 Karma

SplunkTrust
SplunkTrust

Look at the cidrmatch functionality. The cidrmatch function for eval can be found here:

http://docs.splunk.com/Documentation/Splunk/6.0.8/SearchReference/CommonEvalFunctions

0 Karma

Builder

Thanks. Well the problem is that:
We have two subnets in our lookup file.
10.2.2.0/24
10.2.0.0/16

Now if we don't provide subnetmask 10.2.2.25 can match to any of these. I need a Splunk function that is given 10.2.2.25/24 and returns 10.2.2.0/24
or
10.2.2.25/16 to reply with 10.2.0.0/16

0 Karma

Super Champion

@nabeel652 You can do this with SPL easily.

————————————
If this helps, give a like below.
0 Karma

New Member

Hi Folks,

I have same query like is it possible that I can get the subnet mask and gateway for any IP address in splunksearch?

0 Karma

Super Champion

Can you verify question once.

Are you trying to get subnet/subnet mask for range of ips ( when you input first and last ip)?

Netmasks (or subnet masks) are a shorthand for referring to ranges of consecutive IP addresses in the Internet Protocol.

 

————————————
If this helps, give a like below.
0 Karma

SplunkTrust
SplunkTrust

Hi

as there is no mandatory address for gw in subnet that information, You couldn't get it without that it's stored to your events.

Quite often GW's address is first or last usable ip on subnet, but that's mostly a best practises not mandatory.

r. Ismo

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!