Splunk Search

How do I match IPs with discontiguous mask?

patricknguyen
Explorer

I am trying to match IPs from discontiguous mask as follow:

10.0.32.64/255.0.224.192

where as

1st octet: Match exactly 10
2nd octet: Match any from range 0-255
3rd octet: Match range 32-63
4th octet: Match range 192-255

A couple solutions I found while searching are:
1. Regex: however, regex is used to match 1 field only (either source_ip or destination_ip), not both at the same time. I'd like to be able to match any traffic with source_ip OR destination_ip within the range.
2. cidrmatch to span across multiple CIDR ranges: This would be a long cidrs list in this case.

I wonder if there is any efficient way to do the match in this case.

Thanks,
-Patrick

Tags (2)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Ther regex is not that complicated.

\b10\.\d*\.(3[2-9]|(4|5)[0-9]|6[0-3])\.(19[2-9]|2\d\d)

Try it out over at regex101 - https://regex101.com/r/97ZRw8/1/

0 Karma

patricknguyen
Explorer

Thanks for your suggestion. Yes, regex is not that complicated but the caveat here is Splunk is only evaluate regex for 1 field only. In my case I want to match traffic from either "source_ip" field OR "destination_ip" field on the same query and I can not do with regex in 1 query.

I have to use 2 different queries with regex: 1 query with regex to match source_ip and 1 query with regex to match destination_ip only.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...