Splunk Search
×
Are you a member of the Splunk Community?
Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Convert CIDR Range into list of member IPs.
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
pkeller
Contributor
06-30-2017
08:56 AM
Given a list of CIDR ranges ... 10.198.68.132/30, 10.244.18.150/31, 10.48.37.96/24
Is there a search that could extract the IPs in each range?
| table cidr_range
| makemv delim="/" cidr_range
| eval IP = mvindex(cidr_range,0)
| eval MASK = mvindex(cidr_range, 1)
| eval IP_SCOPE = case(MASK = 32, IP,
MASK = 31, IP . ":" . IP,
MASK = 30, IP . ":" . IP . ":" . IP . ":" . IP)
| makemv delim=":" IP_SCOPE
That's kind of the start, but I'm at a loss what to do next. ( and given a /24 .... that MASK assignment would look absolutely terrible. I'd need to take each multi-value field from IP_SCOPE, and increment by one the last octet, add 1 if it's not the first value then glue them back together. There must be an easier way.
1 Solution
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbbadri
Motivator
06-30-2017
09:10 AM
Hi,
transforms.conf
[testcsv]
default_match = OK
filename = testcsv.csv
max_matches = 1
min_matches = 1
match_type = CIDR(cidr_range)
props.conf
[sourcetypetest]
LOOKUP-test = testcsv cidr_range AS IP OUTPUTNEW field1 field2 etc
I hope this help.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
landen99
Motivator
04-20-2020
01:44 PM
The following macro displays the wildcard string matches to a given CIDR:
rex field=cidr "^(?<ip_base>[\d\.]{7,})\/(?<ip_block>\d{1,2})$"
| rex field=ip_base "(?<ip1>\d+)\.(?<ip2>\d+)\.(?<ip3>\d+)"
| eval ip2B=case(ip_block<=8,"*",ip_block=16,ip2,ip_block=15,mvrange(ip2,ip2+2),ip_block=14,mvrange(ip2,ip2+4),ip_block=13,mvrange(ip2,ip2+8),ip_block=12,mvrange(ip2,ip2+16),ip_block=11,mvrange(ip2,ip2+32),ip_block=10,mvrange(ip2,ip2+64),ip_block=9,mvrange(ip2,ip2+128),1=1,ip2)
| eval ip3B=case(ip_block<=16,"*",ip_block=16,ip3,ip_block=23,mvrange(ip3,ip3+2),ip_block=22,mvrange(ip3,ip 3+4),ip_block=21,mvrange(ip3,ip3+8),ip_block=20,mvrange(ip3,ip3+16),ip_block=19,mvrange(ip3,ip3+32),ip_block=18,mvrange(ip3,ip3+64),ip_block=17,mvrange(ip3,ip3+128),1=1,ip3)
| mvexpand ip2B
| mvexpand ip3B
| eval ip_wildcard=ip1.".".ip2B.".".ip3B.".*"
| fields - ip1* ip2* ip3* cidr_wildcard
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
sbbadri
Motivator
06-30-2017
09:10 AM
Hi,
transforms.conf
[testcsv]
default_match = OK
filename = testcsv.csv
max_matches = 1
min_matches = 1
match_type = CIDR(cidr_range)
props.conf
[sourcetypetest]
LOOKUP-test = testcsv cidr_range AS IP OUTPUTNEW field1 field2 etc
I hope this help.
Get Updates on the Splunk Community!
Detecting Brute Force Account Takeover Fraud with Splunk
This article is the second in a three-part series exploring advanced fraud detection techniques using Splunk. ...
Buttercup Games: Further Dashboarding Techniques (Part 9)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
Buttercup Games: Further Dashboarding Techniques (Part 8)
This series of blogs assumes you have already completed the Splunk Enterprise Search Tutorial as it uses the ...
