Splunk Search

Can I use CIDR in the deployment server?

Lowell
Super Champion

Is is possible to specify a client group using a CIDR pattern to simplify app deployment to a network segment?

0 Karma

Lowell
Super Champion

The short answer is no. Out of the box, Splunk does not support CIDR matching. However, the it is possible to convert CIDR to regex patterns via a script I found online.

The following python code that will convert a CIDR to a regular expression usable. A color coded and downloadable version is available here: https://gist.github.com/lowell80/10428118


cird2regex.py:

#!/usr/bin/env python
    ''' Splunk deployment based on CIDR

    Splunk's deployment server does not support CIDR based matching out of the box,
    but they do support PCRE regex matching.  I found this script online and
    modified it slightly to match Splunk's specific regex variation.  (Basically,
    Splunk uses standards PCRE but replace the meaning of "." and "*" to act more
    like traditional glob strings.)  The values returned by this script can be
    used in the serverclass.conf for either whitelist.<n> or blacklist.<n> values.
    See the Splunk docs for more details.

    Example usage:
        echo "10.0.1.0/22" | python cidr2regex.py

    Example output:
        ^10.0.[0-3].\d+$


    Original cidr2regex.py script:
        https://gist.github.com/tom-knight/1b5e0dcf39062af8910e

    Thanks to github users:
        petermblair, 2xyo, mordyovits, tom-knight

    Splunk docs:
        http://docs.splunk.com/Documentation/Splunk/latest/Admin/Serverclassconf

    '''

    import sys
    from math import log10

    def cidr_to_regex(cidr):
        ip, prefix = cidr.split('/')

        base = 0
        for val in map(int, ip.split('.')):
            base = (base << 😎 | val

        shift = 32 - int(prefix)
        start = base >> shift << shift
        end = start | (1 << shift) - 1

        def regex(lower, upper):
            if lower == upper:
                return str(lower) 

            exp = int(log10(upper - lower))
            if (int(str(lower)[-1]) > int(str(upper)[-1]) and exp == 0):
                # increasing exp due to base 10 wrap to next exp
                exp += 1
            delta = 10 ** exp

            if lower == 0 and upper == 255:
                return "\d+"

            if delta == 1:
                val = ""
                for a, b in zip(str(lower), str(upper)):
                    if a == b:
                        val += str(a)
                    elif (a, b) == ("0", "9"):
                        val += '\d'
                    elif int(b) - int(a) == 1:
                        val += '[%s%s]' % (a, b)
                    else:
                        val += '[%s-%s]' % (a, b)
                return val

            def gen_classes():
                def floor_(x):
            return int(round(x / delta, 0) * delta)

                xs = range(floor_(upper) - delta, floor_(lower), -delta)
                for x in map(str, xs):
                    yield '%s%s' % (x[:-exp], r'\d' * exp)

                yield regex(lower, floor_(lower) + (delta - 1))
                yield regex(floor_(upper), upper)
            return "(%s)" % '|'.join(gen_classes())

        def get_parts():
            for x in range(24, -1, -8):
                yield regex(start >> x & 255, end >> x & 255)

        # Not using the typical r'\.' regex because Splunk automatically 
        # replaces "." with "\." for the whitelist and blacklist entries.
        return '^%s$' % '.'.join(get_parts())

    for line in sys.stdin.readlines():
        print cidr_to_regex( line )
        print

bill_kirby
Explorer

Thanks, Lowell!

0 Karma

kiran331
Builder

HI Lowell, please let me know Where to put this script file?

0 Karma