Splunk Search

How do I match IPs with discontiguous mask?


I am trying to match IPs from discontiguous mask as follow:

where as

1st octet: Match exactly 10
2nd octet: Match any from range 0-255
3rd octet: Match range 32-63
4th octet: Match range 192-255

A couple solutions I found while searching are:
1. Regex: however, regex is used to match 1 field only (either source_ip or destination_ip), not both at the same time. I'd like to be able to match any traffic with source_ip OR destination_ip within the range.
2. cidrmatch to span across multiple CIDR ranges: This would be a long cidrs list in this case.

I wonder if there is any efficient way to do the match in this case.


Tags (2)
0 Karma


Ther regex is not that complicated.


Try it out over at regex101 - https://regex101.com/r/97ZRw8/1/

0 Karma


Thanks for your suggestion. Yes, regex is not that complicated but the caveat here is Splunk is only evaluate regex for 1 field only. In my case I want to match traffic from either "source_ip" field OR "destination_ip" field on the same query and I can not do with regex in 1 query.

I have to use 2 different queries with regex: 1 query with regex to match source_ip and 1 query with regex to match destination_ip only.

0 Karma