Splunk Search

How do I match IPs with discontiguous mask?

patricknguyen
Explorer

I am trying to match IPs from discontiguous mask as follow:

10.0.32.64/255.0.224.192

where as

1st octet: Match exactly 10
2nd octet: Match any from range 0-255
3rd octet: Match range 32-63
4th octet: Match range 192-255

A couple solutions I found while searching are:
1. Regex: however, regex is used to match 1 field only (either source_ip or destination_ip), not both at the same time. I'd like to be able to match any traffic with source_ip OR destination_ip within the range.
2. cidrmatch to span across multiple CIDR ranges: This would be a long cidrs list in this case.

I wonder if there is any efficient way to do the match in this case.

Thanks,
-Patrick

Tags (2)
0 Karma

DalJeanis
SplunkTrust
SplunkTrust

Ther regex is not that complicated.

\b10\.\d*\.(3[2-9]|(4|5)[0-9]|6[0-3])\.(19[2-9]|2\d\d)

Try it out over at regex101 - https://regex101.com/r/97ZRw8/1/

0 Karma

patricknguyen
Explorer

Thanks for your suggestion. Yes, regex is not that complicated but the caveat here is Splunk is only evaluate regex for 1 field only. In my case I want to match traffic from either "source_ip" field OR "destination_ip" field on the same query and I can not do with regex in 1 query.

I have to use 2 different queries with regex: 1 query with regex to match source_ip and 1 query with regex to match destination_ip only.

0 Karma