Splunk Search

Group IP addresses in CIDR format

jevenson
Path Finder

I'm trying to group IP address results in CIDR format. Most likely I'll be grouping in /24 ranges. Is there an easy way to do this? Maybe some regex?

For example, if I have two IP addresses like 10.10.3.5 and 10.10.3.50 I want them to be counted in the 10.10.3.0/24 range, and then see how many IP's are in each range.

Tags (1)
1 Solution

lguinn2
Legend

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee
REGEX IP ADDRESS
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

REGEX RFC1918 IP ADDRESS
(192\.168\.)\d{1,3}\.\d{1,3}|(10\.)\d{1,3}\.\d{1,3}\.\d{1,3}|(172\.1[6-9]\.)\d{1,3}\.\d{1,3}|(172\.2[0-9]\.)\d{1,3}\.\d{1,3}|(172\.3[0-1]\.)\d{1,3}\.\d{1,3}

REGEX NON-RFC1918 IP ADDRESS
 \d{1,3}(?<!10|255)\.\d{1,3}\.\d{1,3}\.\d{1,3}
|\d{1,3}\.\d{1,3}(?<!192\.168|255\.255)\.\d{1,3}\.\d{1,3}

anewell
Path Finder

I believe there is a minor typo in the first example. In the second line of the Case clause, the period should be a comma:


yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

0 Karma

lguinn2
Legend

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet

jevenson
Path Finder

That second regex search worked great, thanks!

0 Karma
Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...