Splunk Search

Group IP addresses in CIDR format

jevenson
Path Finder

I'm trying to group IP address results in CIDR format. Most likely I'll be grouping in /24 ranges. Is there an easy way to do this? Maybe some regex?

For example, if I have two IP addresses like 10.10.3.5 and 10.10.3.50 I want them to be counted in the 10.10.3.0/24 range, and then see how many IP's are in each range.

Tags (1)
1 Solution

lguinn2
Legend

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee
REGEX IP ADDRESS
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

REGEX RFC1918 IP ADDRESS
(192\.168\.)\d{1,3}\.\d{1,3}|(10\.)\d{1,3}\.\d{1,3}\.\d{1,3}|(172\.1[6-9]\.)\d{1,3}\.\d{1,3}|(172\.2[0-9]\.)\d{1,3}\.\d{1,3}|(172\.3[0-1]\.)\d{1,3}\.\d{1,3}

REGEX NON-RFC1918 IP ADDRESS
 \d{1,3}(?<!10|255)\.\d{1,3}\.\d{1,3}\.\d{1,3}
|\d{1,3}\.\d{1,3}(?<!192\.168|255\.255)\.\d{1,3}\.\d{1,3}

anewell
Path Finder

I believe there is a minor typo in the first example. In the second line of the Case clause, the period should be a comma:


yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

0 Karma

lguinn2
Legend

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet

jevenson
Path Finder

That second regex search worked great, thanks!

0 Karma
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...