Solved: Re: How do I match an IP address to a range that s...

scottrunyon · ‎07-08-2016

I am trying to match IP addresses in the block of addresses - 10.120.1.0 through 10.120.13.255. This range spans several CIDR ranges
10.120.1.0/24 + 10.120.2.0/23 + 10.120.4.0/22 + 10.120.8.0/22 + 10.122.12.0/23. Is there a way to search not using eval cidrmatch?

Raschko · ‎07-08-2016

You could use a regex command to check if the ip matches the pattern and filter for these events

| regex ip="10.120.(?:[1-9]|1[0-3]).[0-255]"

Alternatively, you can just use cidrmatch with the case command.

| eval match=case(
cidrmatch("10.120.1.0/24" ,ip) ,"1",
cidrmatch("10.120.2.0/23" ,ip) ,"1",
cidrmatch("10.120.4.0/22" ,ip) ,"1",
cidrmatch("10.120.8.0/22" ,ip) ,"1",
cidrmatch("10.120.12.0/23",ip),"1",
1=1,"0")

HTH,
Raschko

View solution in original post

Raschko · ‎07-08-2016

You could use a regex command to check if the ip matches the pattern and filter for these events

| regex ip="10.120.(?:[1-9]|1[0-3]).[0-255]"

Alternatively, you can just use cidrmatch with the case command.

| eval match=case(
cidrmatch("10.120.1.0/24" ,ip) ,"1",
cidrmatch("10.120.2.0/23" ,ip) ,"1",
cidrmatch("10.120.4.0/22" ,ip) ,"1",
cidrmatch("10.120.8.0/22" ,ip) ,"1",
cidrmatch("10.120.12.0/23",ip),"1",
1=1,"0")

HTH,
Raschko

CryoHydra · ‎06-27-2019

Hello @Raschko wht this section of code 1=1,"0" on eval doing . Thanks

scottrunyon · ‎07-08-2016

The eval answer is just exactly what I needed. I need to have several other sub-nets defined and this lets me expand to cover all of them.

Thanks for the help!!

Scott

How do I match an IP address to a range that spans multiple CIDRs?

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

They're back! Join the SplunkTrust and MVP at .conf24

Enterprise Security Content Update (ESCU) | New Releases