Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How do I match IPs with discontiguous mask?

patricknguyen
Explorer
‎09-18-2018 11:18 AM

I am trying to match IPs from discontiguous mask as follow:

10.0.32.64/255.0.224.192

where as

1st octet: Match exactly 10
2nd octet: Match any from range 0-255
3rd octet: Match range 32-63
4th octet: Match range 192-255

A couple solutions I found while searching are:
1. Regex: however, regex is used to match 1 field only (either source_ip or destination_ip), not both at the same time. I'd like to be able to match any traffic with source_ip OR destination_ip within the range.
2. cidrmatch to span across multiple CIDR ranges: This would be a long cidrs list in this case.

I wonder if there is any efficient way to do the match in this case.

Thanks,
-Patrick

Tags (2)
0 Karma
Reply

DalJeanis
Legend
‎09-18-2018 12:37 PM

Ther regex is not that complicated. 

\b10\.\d*\.(3[2-9]|(4|5)[0-9]|6[0-3])\.(19[2-9]|2\d\d)

Try it out over at regex101 - https://regex101.com/r/97ZRw8/1/

0 Karma
Reply

patricknguyen
Explorer
‎09-18-2018 12:55 PM

Thanks for your suggestion. Yes, regex is not that complicated but the caveat here is Splunk is only evaluate regex for 1 field only. In my case I want to match traffic from either "source_ip" field OR "destination_ip" field on the same query and I can not do with regex in 1 query.

I have to use 2 different queries with regex: 1 query with regex to match source_ip and 1 query with regex to match destination_ip only.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...