Splunk Search

Calculate network address

Nico99
Explorer

Hello everyone

I want to calculate the network address from an IP and a mask:

IP = 192.168.1.10
Mask = 255.255.255.0

Desired result = 192.168.1.0

Unfortunately I can't find a function or method to do this.

I looked for the 'cidrmatch' function but it only seems to return a boolean. Is there another way?

Thanks for your help!

Labels (1)
0 Karma
1 Solution

yuanliu
SplunkTrust
SplunkTrust

If you are willing to accept some acrobat, ipmask can be used even with variable net masks.

 

| map search="| makeresults |fields - _*
  | eval Network = ipmask(\"$Mask$\", $IP$), IP = $IP$, Mask = $Mask$"

 

Emulated data below should give

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0
10.54.3.8255.255.246.010.54.2.0

Here is the emulation for you to play with and compare with real data

 

| makeresults format=csv data="IP, Mask
192.168.1.10, 255.255.255.0
10.54.3.8, 255.255.246.0"

 

But again, to say 192.168.1.0 is a network address is (very) classism.  The CIDR expressions should be

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0/24
10.54.3.8255.255.248.010.54.0.0/21

N'est-ce pas?  This can be obtained with a bit of bit math, like this:

 

| map search="| makeresults |fields - _*
  | eval Mask = split($Mask$, \".\"), Mask = 32 - sum(mvmap(Mask, log(256 - Mask,2))),
  Network = ipmask(\"$Mask$\", $IP$) . \"/\" . Mask, IP = $IP$, Mask = $Mask$"

 

 

View solution in original post

Tags (1)
0 Karma

yuanliu
SplunkTrust
SplunkTrust

If you are willing to accept some acrobat, ipmask can be used even with variable net masks.

 

| map search="| makeresults |fields - _*
  | eval Network = ipmask(\"$Mask$\", $IP$), IP = $IP$, Mask = $Mask$"

 

Emulated data below should give

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0
10.54.3.8255.255.246.010.54.2.0

Here is the emulation for you to play with and compare with real data

 

| makeresults format=csv data="IP, Mask
192.168.1.10, 255.255.255.0
10.54.3.8, 255.255.246.0"

 

But again, to say 192.168.1.0 is a network address is (very) classism.  The CIDR expressions should be

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0/24
10.54.3.8255.255.248.010.54.0.0/21

N'est-ce pas?  This can be obtained with a bit of bit math, like this:

 

| map search="| makeresults |fields - _*
  | eval Mask = split($Mask$, \".\"), Mask = 32 - sum(mvmap(Mask, log(256 - Mask,2))),
  Network = ipmask(\"$Mask$\", $IP$) . \"/\" . Mask, IP = $IP$, Mask = $Mask$"

 

 

Tags (1)
0 Karma

Nico99
Explorer

Good morning,

Thank you for the feedback.

Unfortunately the netmask is not fixed...

I'll try with the app
https://splunkbase.splunk.com/app/6595 

 

0 Karma

Nico99
Explorer

Hi yuanliu

Thank you for the feedback.

It's perfect! 🙂

 

 

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If your netmask is fixed, you can use the ipmask function

 

| eval result=ipmask("255.255.255.0", IP)

 

0 Karma
Get Updates on the Splunk Community!

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability

Solve Problems Faster with New, Smarter AI and Integrations in Splunk Observability As businesses scale ...