Splunk Search

Convert CIDR Range into list of member IPs.

pkeller
Contributor

Given a list of CIDR ranges ... 10.198.68.132/30, 10.244.18.150/31, 10.48.37.96/24

Is there a search that could extract the IPs in each range?

| table cidr_range
| makemv delim="/" cidr_range
| eval IP = mvindex(cidr_range,0)
| eval MASK = mvindex(cidr_range, 1)
| eval IP_SCOPE = case(MASK = 32, IP,
MASK = 31, IP . ":" . IP,
MASK = 30, IP . ":" . IP . ":" . IP . ":" . IP)
| makemv delim=":" IP_SCOPE

That's kind of the start, but I'm at a loss what to do next. ( and given a /24 .... that MASK assignment would look absolutely terrible. I'd need to take each multi-value field from IP_SCOPE, and increment by one the last octet, add 1 if it's not the first value then glue them back together. There must be an easier way.

Tags (1)
0 Karma
1 Solution

sbbadri
Motivator

Hi,

transforms.conf

[testcsv]
default_match = OK
filename = testcsv.csv
max_matches = 1
min_matches = 1
match_type = CIDR(cidr_range)

props.conf

[sourcetypetest]
LOOKUP-test = testcsv cidr_range AS IP OUTPUTNEW field1 field2 etc

I hope this help.

View solution in original post

0 Karma

landen99
Motivator

The following macro displays the wildcard string matches to a given CIDR:

rex field=cidr "^(?<ip_base>[\d\.]{7,})\/(?<ip_block>\d{1,2})$"
| rex field=ip_base "(?<ip1>\d+)\.(?<ip2>\d+)\.(?<ip3>\d+)"
| eval ip2B=case(ip_block<=8,"*",ip_block=16,ip2,ip_block=15,mvrange(ip2,ip2+2),ip_block=14,mvrange(ip2,ip2+4),ip_block=13,mvrange(ip2,ip2+8),ip_block=12,mvrange(ip2,ip2+16),ip_block=11,mvrange(ip2,ip2+32),ip_block=10,mvrange(ip2,ip2+64),ip_block=9,mvrange(ip2,ip2+128),1=1,ip2)
| eval ip3B=case(ip_block<=16,"*",ip_block=16,ip3,ip_block=23,mvrange(ip3,ip3+2),ip_block=22,mvrange(ip3,ip    3+4),ip_block=21,mvrange(ip3,ip3+8),ip_block=20,mvrange(ip3,ip3+16),ip_block=19,mvrange(ip3,ip3+32),ip_block=18,mvrange(ip3,ip3+64),ip_block=17,mvrange(ip3,ip3+128),1=1,ip3)
| mvexpand ip2B
| mvexpand ip3B
| eval ip_wildcard=ip1.".".ip2B.".".ip3B.".*" 
| fields - ip1* ip2* ip3* cidr_wildcard

sbbadri
Motivator

Hi,

transforms.conf

[testcsv]
default_match = OK
filename = testcsv.csv
max_matches = 1
min_matches = 1
match_type = CIDR(cidr_range)

props.conf

[sourcetypetest]
LOOKUP-test = testcsv cidr_range AS IP OUTPUTNEW field1 field2 etc

I hope this help.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...