Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Create a wildcard string from cidr values for TERM matching

landen99
Motivator
‎04-20-2020 01:48 PM

Create a wildcard string for a TERM match to a cidr or list of cidrs.

This way you can search indexes or datamodels like this: index=myindex TERM(192.168.0.*) from the cidr 192.168.0.0/24

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

landen99
Motivator
‎04-20-2020 01:49 PM

The following macro displays the wildcard string matches to a given CIDR:

 rex field=cidr "^(?<ip_base>[\d\.]{7,})\/(?<ip_block>\d{1,2})$"
| rex field=ip_base "(?<ip1>\d+)\.(?<ip2>\d+)\.(?<ip3>\d+)"
| eval ip2B=case(ip_block<=8,"*",ip_block=16,ip2,ip_block=15,mvrange(ip2,ip2+2),ip_block=14,mvrange(ip2,ip2+4),ip_block=13,mvrange(ip2,ip2+8),ip_block=12,mvrange(ip2,ip2+16),ip_block=11,mvrange(ip2,ip2+32),ip_block=10,mvrange(ip2,ip2+64),ip_block=9,mvrange(ip2,ip2+128),1=1,ip2)
| eval ip3B=case(ip_block<=16,"*",ip_block=16,ip3,ip_block=23,mvrange(ip3,ip3+2),ip_block=22,mvrange(ip3,ip3+4),ip_block=21,mvrange(ip3,ip3+8),ip_block=20,mvrange(ip3,ip3+16),ip_block=19,mvrange(ip3,ip3+32),ip_block=18,mvrange(ip3,ip3+64),ip_block=17,mvrange(ip3,ip3+128),1=1,ip3)
| mvexpand ip2B
| mvexpand ip3B
| eval ip_wildcard=ip1.".".ip2B.".".ip3B.".*"
| fields - ip1* ip2* ip3* cidr_wildcard

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

landen99
Motivator
‎04-20-2020 01:49 PM

The following macro displays the wildcard string matches to a given CIDR:

 rex field=cidr "^(?<ip_base>[\d\.]{7,})\/(?<ip_block>\d{1,2})$"
| rex field=ip_base "(?<ip1>\d+)\.(?<ip2>\d+)\.(?<ip3>\d+)"
| eval ip2B=case(ip_block<=8,"*",ip_block=16,ip2,ip_block=15,mvrange(ip2,ip2+2),ip_block=14,mvrange(ip2,ip2+4),ip_block=13,mvrange(ip2,ip2+8),ip_block=12,mvrange(ip2,ip2+16),ip_block=11,mvrange(ip2,ip2+32),ip_block=10,mvrange(ip2,ip2+64),ip_block=9,mvrange(ip2,ip2+128),1=1,ip2)
| eval ip3B=case(ip_block<=16,"*",ip_block=16,ip3,ip_block=23,mvrange(ip3,ip3+2),ip_block=22,mvrange(ip3,ip3+4),ip_block=21,mvrange(ip3,ip3+8),ip_block=20,mvrange(ip3,ip3+16),ip_block=19,mvrange(ip3,ip3+32),ip_block=18,mvrange(ip3,ip3+64),ip_block=17,mvrange(ip3,ip3+128),1=1,ip3)
| mvexpand ip2B
| mvexpand ip3B
| eval ip_wildcard=ip1.".".ip2B.".".ip3B.".*"
| fields - ip1* ip2* ip3* cidr_wildcard
0 Karma
Reply
Get Updates on the Splunk Community!

Dashboard Studio Challenge - Learn New Tricks, Showcase Your Skills, and Win Prizes!

Reimagine what you can do with your dashboards. Dashboard Studio is Splunk’s newest dashboard builder to ...

Introducing Edge Processor: Next Gen Data Transformation

We get it - not only can it take a lot of time, money and resources to get data into Splunk, but it also takes ...

Take the 2021 Splunk Career Survey for $50 in Amazon Cash

Help us learn about how Splunk has impacted your career by taking the 2021 Splunk Career Survey. Last year’s ...