Splunk Search

Can I use CIDR in the deployment server?

Super Champion

Is is possible to specify a client group using a CIDR pattern to simplify app deployment to a network segment?

0 Karma

Super Champion

The short answer is no. Out of the box, Splunk does not support CIDR matching. However, the it is possible to convert CIDR to regex patterns via a script I found online.

The following python code that will convert a CIDR to a regular expression usable. A color coded and downloadable version is available here: https://gist.github.com/lowell80/10428118


#!/usr/bin/env python
    ''' Splunk deployment based on CIDR

    Splunk's deployment server does not support CIDR based matching out of the box,
    but they do support PCRE regex matching.  I found this script online and
    modified it slightly to match Splunk's specific regex variation.  (Basically,
    Splunk uses standards PCRE but replace the meaning of "." and "*" to act more
    like traditional glob strings.)  The values returned by this script can be
    used in the serverclass.conf for either whitelist.<n> or blacklist.<n> values.
    See the Splunk docs for more details.

    Example usage:
        echo "" | python cidr2regex.py

    Example output:

    Original cidr2regex.py script:

    Thanks to github users:
        petermblair, 2xyo, mordyovits, tom-knight

    Splunk docs:


    import sys
    from math import log10

    def cidr_to_regex(cidr):
        ip, prefix = cidr.split('/')

        base = 0
        for val in map(int, ip.split('.')):
            base = (base << 😎 | val

        shift = 32 - int(prefix)
        start = base >> shift << shift
        end = start | (1 << shift) - 1

        def regex(lower, upper):
            if lower == upper:
                return str(lower) 

            exp = int(log10(upper - lower))
            if (int(str(lower)[-1]) > int(str(upper)[-1]) and exp == 0):
                # increasing exp due to base 10 wrap to next exp
                exp += 1
            delta = 10 ** exp

            if lower == 0 and upper == 255:
                return "\d+"

            if delta == 1:
                val = ""
                for a, b in zip(str(lower), str(upper)):
                    if a == b:
                        val += str(a)
                    elif (a, b) == ("0", "9"):
                        val += '\d'
                    elif int(b) - int(a) == 1:
                        val += '[%s%s]' % (a, b)
                        val += '[%s-%s]' % (a, b)
                return val

            def gen_classes():
                def floor_(x):
            return int(round(x / delta, 0) * delta)

                xs = range(floor_(upper) - delta, floor_(lower), -delta)
                for x in map(str, xs):
                    yield '%s%s' % (x[:-exp], r'\d' * exp)

                yield regex(lower, floor_(lower) + (delta - 1))
                yield regex(floor_(upper), upper)
            return "(%s)" % '|'.join(gen_classes())

        def get_parts():
            for x in range(24, -1, -8):
                yield regex(start >> x & 255, end >> x & 255)

        # Not using the typical r'\.' regex because Splunk automatically 
        # replaces "." with "\." for the whitelist and blacklist entries.
        return '^%s$' % '.'.join(get_parts())

    for line in sys.stdin.readlines():
        print cidr_to_regex( line )


Thanks, Lowell!

0 Karma


It doesn't work - it complains about  indentation

0 Karma


HI Lowell, please let me know Where to put this script file?

0 Karma
Get Updates on the Splunk Community!

Database Performance Sidebar Panel Now on APM Database Query Performance & Service ...

We’ve streamlined the troubleshooting experience for database-related service issues by adding a database ...

IM Landing Page Filter - Now Available

We’ve added the capability for you to filter across the summary details on the main Infrastructure Monitoring ...

Dynamic Links from Alerts to IM Navigators - New in Observability Cloud

Splunk continues to improve the troubleshooting experience in Observability Cloud with this latest enhancement ...