Splunk Search

How to Search Range for Grouped IP

Akmal57
Path Finder
Spoiler
 

Hi, 

I have created table with host and grouped IP address the host will have public and private IP address

So my table look like this

Host             IP                      id

Host A        10.1.1.1         21

                      172.1.1.1     

 

i have ip range to identify the public ip.

i need to create another field which if the range is match mean the result will be yes if not no

i have used this query for the field 

| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP) , "Yes" , 1=1, "No")

but this eval only work on field which have 1 IP.

in my group ip field, its not working.

Please assist on this.

Thank you

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

If you already have two fields with the IP addresses, you can compare them prior to the mvappend

index=a or sourcetype=b
| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP1) , "Yes" , cidrmatch(172.1.1.0/24" , IP2) , "Yes" , 1==1, "No")
| eval ip=mvappend(IP1, IP2)
| fields - IP1 IP2

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

By group field, I assume you are referring to a multi-value field? If so, you could expand your events by the multi-value field so that each part can be evaluated separately

| mvexpand IP

Akmal57
Path Finder

ok, thank you for you reply. but if using mvexpand, the ip will splited by host.

is there any work around to not split the host?

if i split the ip for example like

host   ip1  ip2 

is there any query that can detect the internet facing by search across all the ip field

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

What do you mean split by host? Perhaps if you share what your events actually look like (anonymised of course), we might be able to figure out what it is you are trying to do.

Akmal57
Path Finder

if using mvexpand, my result is like this:

Host            IP                      Internet Facing

Host A       10.1.1.1           No

Host A       172. 1.1.1       Yes

 

for the ip field, i have combined from 2 sources

my table should look like this:

Host            IP                         Internet Facing 

Host A       10.1.1.1                      Yes

                    172. 1.1.1        

Below is my sample query

index=a or sourcetype=b
|eval ip=mvappend(IP1, IP2)

|stats value(ip) as ip by host

| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP) , "Yes" , 1=1, "No")

I need the result to look like the second example table above, which does not splitting the host.

0 Karma

ITWhisperer
SplunkTrust
SplunkTrust

If you already have two fields with the IP addresses, you can compare them prior to the mvappend

index=a or sourcetype=b
| eval "internet facing"=case(cidrmatch(172.1.1.0/24" , IP1) , "Yes" , cidrmatch(172.1.1.0/24" , IP2) , "Yes" , 1==1, "No")
| eval ip=mvappend(IP1, IP2)
| fields - IP1 IP2

Akmal57
Path Finder

Owh, thank you very much. it work perfectly as needed.

0 Karma
Get Updates on the Splunk Community!

Splunk is Nurturing Tomorrow’s Cybersecurity Leaders Today

Meet Carol Wright. She leads the Splunk Academic Alliance program at Splunk. The Splunk Academic Alliance ...

Part 2: A Guide to Maximizing Splunk IT Service Intelligence

Welcome to the second segment of our guide. In Part 1, we covered the essentials of getting started with ITSI ...

Part 1: A Guide to Maximizing Splunk IT Service Intelligence

As modern IT environments continue to grow in complexity and speed, the ability to efficiently manage and ...