Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate network address

Nico99
Explorer
‎04-10-2024 12:24 AM

Hello everyone

I want to calculate the network address from an IP and a mask:

IP = 192.168.1.10
Mask = 255.255.255.0

Desired result = 192.168.1.0

Unfortunately I can't find a function or method to do this.

I looked for the 'cidrmatch' function but it only seems to return a boolean. Is there another way?

Thanks for your help!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-11-2024 05:51 AM

If you are willing to accept some acrobat, ipmask can be used even with variable net masks.

 

| map search="| makeresults |fields - _*
  | eval Network = ipmask(\"$Mask$\", $IP$), IP = $IP$, Mask = $Mask$"

 

Emulated data below should give

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0
10.54.3.8255.255.246.010.54.2.0

Here is the emulation for you to play with and compare with real data

 

| makeresults format=csv data="IP, Mask
192.168.1.10, 255.255.255.0
10.54.3.8, 255.255.246.0"

 

But again, to say 192.168.1.0 is a network address is (very) classism.  The CIDR expressions should be

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0/24
10.54.3.8255.255.248.010.54.0.0/21

N'est-ce pas?  This can be obtained with a bit of bit math, like this:

 

| map search="| makeresults |fields - _*
  | eval Mask = split($Mask$, \".\"), Mask = 32 - sum(mvmap(Mask, log(256 - Mask,2))),
  Network = ipmask(\"$Mask$\", $IP$) . \"/\" . Mask, IP = $IP$, Mask = $Mask$"

 

 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-11-2024 05:51 AM

If you are willing to accept some acrobat, ipmask can be used even with variable net masks.

 

| map search="| makeresults |fields - _*
  | eval Network = ipmask(\"$Mask$\", $IP$), IP = $IP$, Mask = $Mask$"

 

Emulated data below should give

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0
10.54.3.8255.255.246.010.54.2.0

Here is the emulation for you to play with and compare with real data

 

| makeresults format=csv data="IP, Mask
192.168.1.10, 255.255.255.0
10.54.3.8, 255.255.246.0"

 

But again, to say 192.168.1.0 is a network address is (very) classism.  The CIDR expressions should be

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0/24
10.54.3.8255.255.248.010.54.0.0/21

N'est-ce pas?  This can be obtained with a bit of bit math, like this:

 

| map search="| makeresults |fields - _*
  | eval Mask = split($Mask$, \".\"), Mask = 32 - sum(mvmap(Mask, log(256 - Mask,2))),
  Network = ipmask(\"$Mask$\", $IP$) . \"/\" . Mask, IP = $IP$, Mask = $Mask$"

 

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Nico99
Explorer
‎04-11-2024 12:08 AM

Good morning,

Thank you for the feedback.

Unfortunately the netmask is not fixed...

I'll try with the app
https://splunkbase.splunk.com/app/6595 

 

0 Karma
Reply
Solved! Jump to solution

Nico99
Explorer
‎04-15-2024 04:07 AM

Hi yuanliu

Thank you for the feedback.

It's perfect! 🙂

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-10-2024 01:40 AM

If your netmask is fixed, you can use the ipmask function

 

| eval result=ipmask("255.255.255.0", IP)

 

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...