I am trying to match IPs from discontiguous mask as follow:
1st octet: Match exactly 10
2nd octet: Match any from range 0-255
3rd octet: Match range 32-63
4th octet: Match range 192-255
A couple solutions I found while searching are:
1. Regex: however, regex is used to match 1 field only (either source_ip or destination_ip), not both at the same time. I'd like to be able to match any traffic with source_ip OR destination_ip within the range.
2. cidrmatch to span across multiple CIDR ranges: This would be a long cidrs list in this case.
I wonder if there is any efficient way to do the match in this case.
Thanks for your suggestion. Yes, regex is not that complicated but the caveat here is Splunk is only evaluate regex for 1 field only. In my case I want to match traffic from either "source_ip" field OR "destination_ip" field on the same query and I can not do with regex in 1 query.
I have to use 2 different queries with regex: 1 query with regex to match source_ip and 1 query with regex to match destination_ip only.