Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate network address

Nico99
Explorer
‎04-10-2024 12:24 AM

Hello everyone

I want to calculate the network address from an IP and a mask:

IP = 192.168.1.10
Mask = 255.255.255.0

Desired result = 192.168.1.0

Unfortunately I can't find a function or method to do this.

I looked for the 'cidrmatch' function but it only seems to return a boolean. Is there another way?

Thanks for your help!

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-11-2024 05:51 AM

If you are willing to accept some acrobat, ipmask can be used even with variable net masks.

 

| map search="| makeresults |fields - _*
  | eval Network = ipmask(\"$Mask$\", $IP$), IP = $IP$, Mask = $Mask$"

 

Emulated data below should give

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0
10.54.3.8255.255.246.010.54.2.0

Here is the emulation for you to play with and compare with real data

 

| makeresults format=csv data="IP, Mask
192.168.1.10, 255.255.255.0
10.54.3.8, 255.255.246.0"

 

But again, to say 192.168.1.0 is a network address is (very) classism.  The CIDR expressions should be

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0/24
10.54.3.8255.255.248.010.54.0.0/21

N'est-ce pas?  This can be obtained with a bit of bit math, like this:

 

| map search="| makeresults |fields - _*
  | eval Mask = split($Mask$, \".\"), Mask = 32 - sum(mvmap(Mask, log(256 - Mask,2))),
  Network = ipmask(\"$Mask$\", $IP$) . \"/\" . Mask, IP = $IP$, Mask = $Mask$"

 

 

View solution in original post

Tags (1)
0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎04-11-2024 05:51 AM

If you are willing to accept some acrobat, ipmask can be used even with variable net masks.

 

| map search="| makeresults |fields - _*
  | eval Network = ipmask(\"$Mask$\", $IP$), IP = $IP$, Mask = $Mask$"

 

Emulated data below should give

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0
10.54.3.8255.255.246.010.54.2.0

Here is the emulation for you to play with and compare with real data

 

| makeresults format=csv data="IP, Mask
192.168.1.10, 255.255.255.0
10.54.3.8, 255.255.246.0"

 

But again, to say 192.168.1.0 is a network address is (very) classism.  The CIDR expressions should be

IPMaskNetwork
192.168.1.10255.255.255.0192.168.1.0/24
10.54.3.8255.255.248.010.54.0.0/21

N'est-ce pas?  This can be obtained with a bit of bit math, like this:

 

| map search="| makeresults |fields - _*
  | eval Mask = split($Mask$, \".\"), Mask = 32 - sum(mvmap(Mask, log(256 - Mask,2))),
  Network = ipmask(\"$Mask$\", $IP$) . \"/\" . Mask, IP = $IP$, Mask = $Mask$"

 

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

Nico99
Explorer
‎04-11-2024 12:08 AM

Good morning,

Thank you for the feedback.

Unfortunately the netmask is not fixed...

I'll try with the app
https://splunkbase.splunk.com/app/6595 

 

0 Karma
Reply
Solved! Jump to solution

Nico99
Explorer
‎04-15-2024 04:07 AM

Hi yuanliu

Thank you for the feedback.

It's perfect! 🙂

 

 

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎04-10-2024 01:40 AM

If your netmask is fixed, you can use the ipmask function

 

| eval result=ipmask("255.255.255.0", IP)

 

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...