Splunk Search

Exclude Source IP and Destination IP from results if they belong to same private ip range

sarwshai
Communicator

Hi There,

How do i Exclude Source IP and Destination IP from results if they belong to same private ip range? For e.g. in the results as shown below

src_ipdest_ipcount
10.0.0.110.10.0.11
10.0.0.1192.168.0.11

 

I need to exclude the first row in the statistics as they belong to same private ip range but want to keep the second row.

Labels (2)
0 Karma
1 Solution

sarwshai
Communicator

Well i tried this and it worked for me, thanks @ITWhisperer 

.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr

View solution in original post

0 Karma

kamlesh_vaghela
SplunkTrust
SplunkTrust

@sarwshai 

Can you please try this?

Here I have considered below IP ranges as private IP ranges.

Private IP addresses:

  • 10.0.0.0 to 10.255.255.255
  • 172.16.0.0 to 172.31.255.255
  • 192.168.0.0 to 192.168.255.255

 

YOUR_SEARCH
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip	dest_ip	count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip	dest_ip	count

 

My Sample Search :

| makeresults | eval _raw="src_ip	dest_ip	count
10.0.0.1	10.10.0.1	1
10.0.0.1	192.168.0.1	1
10.0.0.1	10.10.0.1	1
10.0.0.1	10.10.0.1	1
172.16.0.0	172.31.255.255	1
192.168.0.0	192.168.255.255	1
10.0.0.1	10.10.0.1	1
" | multikv forceheader=1
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip	dest_ip	count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip	dest_ip	count

 

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated. 

0 Karma

sarwshai
Communicator

Well i tried this and it worked for me, thanks @ITWhisperer 

.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr
0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

Try something like:

| where NOT cidrmatch("10.0.0.0/8", src_ip) OR NOT cidrmatch("10.0.0.0/8", dest_ip)
0 Karma

sarwshai
Communicator

No it doesn't work by this.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

In what way?

0 Karma

sarwshai
Communicator

I am still getting the same private ip range in the same rows

0 Karma
Get Updates on the Splunk Community!

What's New in Splunk Cloud Platform 9.2.2403?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.2.2403! Analysts can ...

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...