Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Group IP addresses in CIDR format

jevenson
Path Finder
‎08-02-2012 11:40 AM

I'm trying to group IP address results in CIDR format. Most likely I'll be grouping in /24 ranges. Is there an easy way to do this? Maybe some regex?

For example, if I have two IP addresses like 10.10.3.5 and 10.10.3.50 I want them to be counted in the 10.10.3.0/24 range, and then see how many IP's are in each range.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-04-2012 07:16 PM

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet

View solution in original post

Reply
Solved! Jump to solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎04-11-2016 11:45 AM 
REGEX IP ADDRESS
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

REGEX RFC1918 IP ADDRESS
(192\.168\.)\d{1,3}\.\d{1,3}|(10\.)\d{1,3}\.\d{1,3}\.\d{1,3}|(172\.1[6-9]\.)\d{1,3}\.\d{1,3}|(172\.2[0-9]\.)\d{1,3}\.\d{1,3}|(172\.3[0-1]\.)\d{1,3}\.\d{1,3}

REGEX NON-RFC1918 IP ADDRESS
 \d{1,3}(?<!10|255)\.\d{1,3}\.\d{1,3}\.\d{1,3}
|\d{1,3}\.\d{1,3}(?<!192\.168|255\.255)\.\d{1,3}\.\d{1,3}
Reply
Solved! Jump to solution

anewell
Path Finder
‎01-04-2013 10:09 AM

I believe there is a minor typo in the first example. In the second line of the Case clause, the period should be a comma:


yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-04-2012 07:16 PM

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet
Reply
Solved! Jump to solution

jevenson
Path Finder
‎08-08-2012 09:22 AM

That second regex search worked great, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In April, the Splunk Threat Research Team had 2 releases of new security content via the Enterprise Security ...

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

What are Community Office Hours?Community Office Hours is an interactive 60-minute Zoom series where ...

It’s go time — Boston, here we come!

Are you ready to take your Splunk skills to the next level? Get set, because Splunk University is back, and ...
Top