I am trying to match IPs from discontiguous mask as follow:
10.0.32.64/255.0.224.192
where as
1st octet: Match exactly 10
2nd octet: Match any from range 0-255
3rd octet: Match range 32-63
4th octet: Match range 192-255
A couple solutions I found while searching are:
1. Regex: however, regex is used to match 1 field only (either source_ip or destination_ip), not both at the same time. I'd like to be able to match any traffic with source_ip OR destination_ip within the range.
2. cidrmatch to span across multiple CIDR ranges: This would be a long cidrs list in this case.
I wonder if there is any efficient way to do the match in this case.
Thanks,
-Patrick
Ther regex is not that complicated.
\b10\.\d*\.(3[2-9]|(4|5)[0-9]|6[0-3])\.(19[2-9]|2\d\d)
Try it out over at regex101 - https://regex101.com/r/97ZRw8/1/
Thanks for your suggestion. Yes, regex is not that complicated but the caveat here is Splunk is only evaluate regex for 1 field only. In my case I want to match traffic from either "source_ip" field OR "destination_ip" field on the same query and I can not do with regex in 1 query.
I have to use 2 different queries with regex: 1 query with regex to match source_ip and 1 query with regex to match destination_ip only.