Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How do I do a cidr match/not match in a tstats search?

MonkeyK
Builder
‎10-31-2016 04:06 PM

I am trying to get a list of the most common sources and destinations of blocked traffic from the previous day with some exclusions (like not sourced fromauthorized vulnerability scanners). So far I have come up with

Sources:

|tstats summariesonly=t count FROM datamodel=Network_Traffic
WHERE All_Traffic.action!="allowed" All_Traffic.src_ip!=64.39.96.0/20 earliest=-1d@d latest=@d
BY All_Traffic.src_ip
| sort limit=10 -count

But when I do the above, I get results that include an IP address that is in 64.39.96.0/20

I have learned that I can search my results to get rid of the extra source:

|tstats summariesonly=t count FROM datamodel=Network_Traffic
WHERE All_Traffic.action!="allowed" All_Traffic.src_ip!=64.39.96.0/20 earliest=-1d@d latest=@d
BY All_Traffic.src_ip
| search All_Traffic.src_ip!=64.39.96.0/20
| sort limit=10 -count

but this feels inefficient (query something that I don't need and remove it later).

Also, it does not address my next use case: top destination IPs where the source does not include 64.39.96.0/20

|tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic
WHERE All_Traffic.action!="allowed" All_Traffic.src_ip!=64.39.96.0/20 earliest=-1d@d latest=@d
BY All_Traffic.dest_ip
| sort limit=10 -count

is there a way to exclude 64.39.96.0/20 directly in the where clause?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2019 10:38 AM

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2019 10:38 AM

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎06-25-2019 10:40 AM

Just a note that 7.3 adds the ability to have negated CIDR in tstats.

Reply
Solved! Jump to solution

woodcock
Esteemed Legend
‎06-25-2019 11:48 AM

I knew that there was something new in 7.something. Thanks!

0 Karma
Reply
Solved! Jump to solution

wryanthomas
Contributor
‎06-10-2021 10:32 AM

We've observed that the cidr match functionality in tstats (as described in answer by woodcock -- thanks!) is working for IPv4 addresses ... but not for IPv6 addresses.  Any info on support for cidr match in tstats for IPv6 addresses?

0 Karma
Reply
Solved! Jump to solution

MonkeyK
Builder
‎11-01-2016 07:29 PM

I think that I have a way to do the filtering.
By counting on both source and destination, I can then search my results to remove the cidr range, and follow up with a sum on the destinations before sorting them for my top 10

|tstats summariesonly=t count FROM datamodel=Network_Traffic.All_Traffic
WHERE All_Traffic.action!="allowed" earliest=-1d@d latest=@d

BY All_Traffic.src_ip All_Traffic.dest_ip
| search All_Traffic.src_ip!=64.39.96.0/20
| chart sum(count) as Count over All_Traffic.dest_ip
| sort limit=10 -Count

Still seems inefficient (although faster than without tstats). Maybe Splunk could do something about that.

0 Karma
Reply
Solved! Jump to solution

isabel_ycourbe
Path Finder
‎02-13-2018 04:20 AM

I just ran into your answer since I had the same issue, to slightly improve performance (I think - didn't measure) I did a pre-filter on the tstat using wildcards so I give less results to search, then narrow the results with search (in my case I needed to filter all private IPs) as you suggested

| tstats summariesonly=T 
    count 
    from datamodel=Network_Traffic.All_Traffic 
    where 
        (
            All_Traffic.dest=10.*
            OR All_Traffic.dest=192.168.*
            OR All_Traffic.dest=172.* 
        ) 
        AND All_Traffic.action="allowed" 
        AND 
        (
            All_Traffic.transport="tcp"
            OR All_Traffic.transport="udp"
        ) 
    by All_Traffic.dest
| search All_Traffic.dest=10.0.0.0/8
    OR All_Traffic.dest=192.168.0.0/16
    OR All_Traffic.dest=172.16.0.0/12

In my case the wildcards we almost enough since it works well for /16 and /8, but I still needed to use a CIDR search for 172.16.0.0/12.

Reply
Solved! Jump to solution

MonkeyK
Builder
‎02-13-2018 01:50 PM

Good suggestion!

0 Karma
Reply
Solved! Jump to solution

MonkeyK
Builder
‎11-07-2016 10:19 AM

I feel a little cheesy accepting my own answer, but I don't think that something better is coming along.

0 Karma
Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎12-21-2016 07:46 AM

You shouldn't this is the only correct answer at the moment. Tstats is not CIDR aware for WHERE clauses.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Custom Visualizations App End of Life

The Splunk Custom Visualizations apps End of Life for SimpleXML will reach end of support on Dec 21, 2024, ...

Introducing Splunk Enterprise 9.2

WATCH HERE! Watch this Tech Talk to learn about the latest features and enhancements shipped in the new Splunk ...

Adoption of RUM and APM at Splunk

    Unleash the power of Splunk Observability   Watch Now In this can't miss Tech Talk! The Splunk Growth ...