Security

Network Search - How do I search for network addresses without using CIDR?

New Member

Hi All,

Am pretty new to this tool but excited about the capability of the tool. Am trying to search a network in my search , for single host I knew it is src=10.10.10.10 and dst= 10.10.10.10 , but am not able to write syntax for network like 202.132.234.343 /32. Any inputs for this simple syntax would be highly appreciated. I cannot use CIDR for my purpose due to my requirement so looking some other syntax to just for networks.

Thanks in advance.

0 Karma

Communicator

Hi cybercop007,

You have various forms with regex syntax.

First option is using regex command, for example:

| regex <field>="^172\.(1[6-9]|2[0-9]|3[0-1])\..*"

https://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/Regex

Other case is evaluating a field with a case in the case you would like classify various networks, for example:

| eval srctype=case(match(srcip,"^10\..*"), "Priv",match(srcip,"^192\.168\..*"), "Priv", match(srcip, "^172\.(1[6-9]|2[0-9]|3[0-1])\..*"), "Priv", 1==1, "Pub") 

http://docs.splunk.com/Documentation/Splunk/7.2.5/SearchReference/ConditionalFunctions

Hope this solve your problem.

0 Karma