I have a big corporate network with many routers.
All routes ha a loopback IP used for syslog. Ex 10.252.1.10/32
When I do a search for host like this:
index=syslog host=10.252.1.0/24 (last 24 hour)
When look at host, I do get a result like this, when look at the host filed.
Values Count %
10.252.1.170 8,887 99.396%
10.252.1.77 32 0.358%
10.252.1.112 12 0.134%
10.252.1.17 4 0.045%
10.252.1.104 3 0.034%
10.252.1.80 3 0.034%
Problem is that I do muss several hosts. A search for a specific node like this:
index=syslog host=10.252.1.105 (last 24 hour)
gives this result:
Values Count %
10.252.1.105 59 100%
Why do I not see this host with 59 hits in syslog.??
Why does CIDR not cover it?
host=10.252.1.0/24 should it not cover 10.252.1.0 to 10.252.1.255?
Hello,
It's possible that the field you are using for host is not formatted in a way that the CIDR search recognizes. With my data, my field is src which is formatted ipaddress:port:vlan I have to perform a rex on the src field to parse just the into its own field, and then I can use CIDR notation to pull out all the hosts I have logs for in the time window.
index=<yourindex> | rex field=src "(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | search src_ip="10.100.200.0/24" | stats values(src_ip)
Hope that helps.
You are on the right track. Just for the test of it, I added host=10.252.1.* and get more than 100 hits.
The host is not part of the _raw data, so It has to be some with how its extracted.