Splunk Search

Explorer

Problem: Huge list of IP addresses across multiple subnets, how to group and list in order of subnets.

This is what we came up with:

``````index=dhcp dest_ip="10.0.0.0/8" | where dest != dest_ip | stats count(dest) by dest, dest_ip | eval ipoctet=split(dest_ip, ".") | eval int1=floor(tonumber(mvindex(ipoctet,0))*16777216) | eval int2=floor(tonumber(mvindex(ipoctet,1))*65536) | eval int3=floor(tonumber(mvindex(ipoctet,2))*256) | eval ipv4int=int1+int2+int3+(tonumber(mvindex(ipoctet,3))) | sort ipv4int | table dest, dest_ip, ipv4int
``````
Tags (1)
1 Solution
Ultra Champion

What's wrong with;

``````...| sort ip(your_ip_field) | ...
``````

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort

/K

Ultra Champion

What's wrong with;

``````...| sort ip(your_ip_field) | ...
``````

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Sort

/K

Ultra Champion

You can also simplify the search in (at least) the following way (not really that much more efficient, but easier to read);

`index=dhcp dest_ip=10.* dest!=dest_ip | ...`

Perhaps more can be done - depending on log content and your desired outcome.

Explorer

Other than it's a simple and far more straightforward solution?

Get Updates on the Splunk Community!

#### .conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

#### Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

#### Troubleshooting the OpenTelemetry Collector

In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...