Re: Why does the CIDR not include all IP's in a ra...

lakromani · ‎03-30-2018

I have a big corporate network with many routers.
All routes ha a loopback IP used for syslog. Ex 10.252.1.10/32

When I do a search for host like this:

index=syslog host=10.252.1.0/24 (last 24 hour)

When look at host, I do get a result like this, when look at the host filed.

Values  Count   %
10.252.1.170    8,887   99.396% 
10.252.1.77 32  0.358%  
10.252.1.112    12  0.134%  
10.252.1.17 4   0.045%  
10.252.1.104    3   0.034%  
10.252.1.80 3   0.034%

Problem is that I do muss several hosts. A search for a specific node like this:

index=syslog host=10.252.1.105 (last 24 hour)
gives this result:

 Values Count   %    
    10.252.1.105    59  100%

Why do I not see this host with 59 hits in syslog.??
Why does CIDR not cover it?

host=10.252.1.0/24 should it not cover 10.252.1.0 to 10.252.1.255?

salbro · ‎03-30-2018

Hello,

It's possible that the field you are using for host is not formatted in a way that the CIDR search recognizes. With my data, my field is src which is formatted ipaddress:port:vlan I have to perform a rex on the src field to parse just the into its own field, and then I can use CIDR notation to pull out all the hosts I have logs for in the time window.

index=<yourindex> | rex field=src "(?<src_ip>\d{1,3}.\d{1,3}.\d{1,3}.\d{1,3})" | search src_ip="10.100.200.0/24" | stats values(src_ip)

Hope that helps.

lakromani · ‎03-30-2018

You are on the right track. Just for the test of it, I added host=10.252.1.* and get more than 100 hits.
The host is not part of the _raw data, so It has to be some with how its extracted.

Why does the CIDR not include all IP's in a range?

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms