Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Filter IPs not in ranges

karimoss
Loves-to-Learn
‎09-23-2023 05:22 AM

Hello,

I have a list of IPs generated from the following search :

index=<source>| stats count by ip

and I want to identify IPs that do not belong to any of the IP address ranges in my results. Example :

 

a.b.c.101

a.b.c.102

a.b.c.103

d.e.f.g

a.b.c.104

I want to keep only the address d.e.f.g

Thank in advance for your help

Regards,

Labels (1)
Labels
0 Karma
Reply

yuanliu
SplunkTrust
SplunkTrust
‎09-23-2023 04:16 PM

As @VatsalJagani said, you need to talk to someone who understands IPv4 address space to help you formulating what you call "IP address ranges" into mathematical formula(e) that a computer can easily understand.  Maybe a network engineer in your organization. (You don't want to give your internal IP ranges to a public forum like this.)  These days, CIDR is the most common way of expressing IPv4 address ranges, and Splunk supports it right in the search command.  See CIDR matching.  Once you know your CIDR, you can do something like

 

index = <source> ip != <CIDR1> ip != <CIDR2>, ...
| stats count by ip

 

To give you an example using the same data as given in the document, you want to exclude 10.10.10.1 through 10.10.10.255, and your data contains these

_timeip
2023-09-23 16:08:1210.10.10.12
2023-09-23 16:08:1250.10.10.17
2023-09-23 16:08:1210.10.10.23

You run

 

index = <source> ip != 10.10.10.0/24
| stats count by ip

 

The result is

ipcount
50.10.10.171

You can try this with the following emulation

 

| makeresults
| eval ip = split("10.10.10.12
50.10.10.17
10.10.10.23", "
")
| mvexpand ip
``` the above emulates raw data ```
| search ip!=10.10.10.0/24
| stats count by ip

 

If you can't find suitable people to ask for help, there are also CIDR calculators online.  Just be careful with your proprietary data.

Tags (1)
0 Karma
Reply

VatsalJagani
SplunkTrust
SplunkTrust
‎09-23-2023 06:15 AM
and I want to identify IPs that do not belong to any of the IP address ranges in my results. Example :

@karimoss - Do you want to print out all the possible IP addresses that are not in your result?

* How is d.e.f.g IP different from other IPs in the result set? Is it the only IP with a different subnet?

* Are you looking to find subnet vise?

0 Karma
Reply

PickleRick
SplunkTrust
SplunkTrust
‎09-23-2023 11:39 AM

Also remember that by filtering early you make search more efficient.

0 Karma
Reply
Get Updates on the Splunk Community!

Built-in Service Level Objectives Management to Bridge the Gap Between Service & ...

Wednesday, May 29, 2024  |  11AM PST / 2PM ESTRegister now and join us to learn more about how you can ...

Get Your Exclusive Splunk Certified Cybersecurity Defense Engineer Certification at ...

We’re excited to announce a new Splunk certification exam being released at .conf24! If you’re headed to Vegas ...

Share Your Ideas & Meet the Lantern team at .Conf! Plus All of This Month’s New ...

Splunk Lantern is Splunk’s customer success center that provides advice from Splunk experts on valuable data ...