Solved: Re: Exclude Source IP and Destination IP from resu...

sarwshai · ‎06-29-2021

Hi There,

How do i Exclude Source IP and Destination IP from results if they belong to same private ip range? For e.g. in the results as shown below

src_ip	dest_ip	count
10.0.0.1	10.10.0.1	1
10.0.0.1	192.168.0.1	1

I need to exclude the first row in the statistics as they belong to same private ip range but want to keep the second row.

sarwshai · ‎06-29-2021

Well i tried this and it worked for me, thanks @ITWhisperer

.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr

View solution in original post

kamlesh_vaghela · ‎06-29-2021

@sarwshai

Can you please try this?

Here I have considered below IP ranges as private IP ranges.

Private IP addresses:

10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255

YOUR_SEARCH
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip	dest_ip	count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip	dest_ip	count

My Sample Search :

| makeresults | eval _raw="src_ip	dest_ip	count
10.0.0.1	10.10.0.1	1
10.0.0.1	192.168.0.1	1
10.0.0.1	10.10.0.1	1
10.0.0.1	10.10.0.1	1
172.16.0.0	172.31.255.255	1
192.168.0.0	192.168.255.255	1
10.0.0.1	10.10.0.1	1
" | multikv forceheader=1
| rex field=src_ip "(?<src_range_1>[0-9]{1,3}).(?<src_range_2>[0-9]{1,3}).[0-9]{1,3}."
| rex field=dest_ip "(?<dest_range_1>[0-9]{1,3}).(?<dest_range_2>[0-9]{1,3}).[0-9]{1,3}."
| table src_ip	dest_ip	count src_range* dest_range_1 dest_range_2
| eval is_valid_ip = case(
src_range_1="10" and src_range_1=dest_range_1,"0",
src_range_1="192" and src_range_1=dest_range_1,"0",
src_range_1="172" and src_range_1=dest_range_1 and src_range_2>15 and dest_range_2<32,"0",
1==1,"1")
| where is_valid_ip="1"
| table src_ip	dest_ip	count

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

sarwshai · ‎06-29-2021

Well i tried this and it worked for me, thanks @ITWhisperer

.....| eval str=if(cidrmatch(10.0.0.0/8,src),1,0)| eval dtr=if(cidrmatch(10.0.0.0/8,dest),1,0)| stats count by src dest str dtr|where str!=dtr

ITWhisperer · ‎06-29-2021

Try something like:

| where NOT cidrmatch("10.0.0.0/8", src_ip) OR NOT cidrmatch("10.0.0.0/8", dest_ip)

sarwshai · ‎06-29-2021

No it doesn't work by this.

ITWhisperer · ‎06-29-2021

In what way?

sarwshai · ‎06-29-2021

I am still getting the same private ip range in the same rows

Exclude Source IP and Destination IP from results if they belong to same private ip range

eval

stats

.conf24 | Day 0

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

Troubleshooting the OpenTelemetry Collector