Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to best determine IP range membership?

hulahoop
Splunk Employee
Splunk Employee
‎01-21-2010 09:11 PM

Use Case: Find Juniper firewall events where the source/destination IP (Src_Zone/Dst_Zone) does or does not belong in the private zone.

The private zone includes IP ranges defined by RFC1918 plus others:

  • 169.254.0.0 to 169.254.255.255 (RFC1918)
  • 10.0.0.0 to 10.255.255.255 (RFC1918)
  • 192.168.0.0 to 192.168.255.255 (RFC1918)
  • 172.16.0.0 to 172.31.255.255 (LinkLocal)

Proposed Splunk search macro for Src_Zone membership in the private zone:

Src_Zone=169.254.*.* OR Src_Zone=10.*.*.* OR Src_Zone=192.168.*.* OR Src_Zone=172.16.*.* OR Src_Zone=172.17.*.* OR Src_Zone=172.18.*.* OR Src_Zone=172.19.*.* OR Src_Zone=172.20.*.* OR Src_Zone=172.21.*.* OR Src_Zone=172.22.*.* OR Src_Zone=172.23.*.* OR Src_Zone=172.24.*.* OR Src_Zone=172.25.*.* OR Src_Zone=172.26.*.* OR Src_Zone=172.27.*.* OR Src_Zone=172.28.*.* OR Src_Zone=172.29.*.* OR Src_Zone=172.30.*.* OR Src_Zone=172.31.*.*

This approach is super unwieldy even as a macro, and is likely not efficient. There must be a better way to express membership in the last IP range defined by the private zone 172.16.0.0-172.31.255.255 without having to expand it. I tried incorporating the regex command (... | regex Src_Zone="172\.(1[6-9]|2\d|3[0-1])\.) but can't figure out how to use it in a boolean OR context.

This gets even hairier when trying to express membership where

Src_Zone!=<in the private zone> AND Dst_Zone=<in the private zone>.

Any suggestions on how to not brute force this?

Tags (2)
Reply
1 Solution
Solved! Jump to solution
Solution

hulahoop
Splunk Employee
Splunk Employee
‎01-22-2010 01:52 AM

Many thanks, V!

For the scenario above, this is how your answer was applied:

... | where cidrmatch("10.0.0.0/8",Src_Addr) OR cidrmatch("172.16.0.0/12",Src_Addr) OR cidrmatch("192.168.0.0/16",Src_Addr) OR cidrmatch("169.254.0.0/16",Src_Addr)

Who knew the Splunk search language is so powerful. 😉 This is much simpler!

For the curious, here is further supporting information:

It is especially helpful to know the where and eval commands support booleans. For example, to solve the more difficult case of

Src_Zone!=<in the private zone> AND Dst_Zone=<in the private zone>

simply apply the NOT and AND boolean operators:

... | where NOT ( cidrmatch("10.0.0.0/8",Src_Addr) OR cidrmatch("172.16.0.0/12",Src_Addr) OR cidrmatch("192.168.0.0/16",Src_Addr) OR cidrmatch("169.254.0.0/16",Src_Addr) ) AND
( cidrmatch("10.0.0.0/8",Dst_Addr) OR cidrmatch("172.16.0.0/12",Dst_Addr) OR cidrmatch("192.168.0.0/16",Dst_Addr) OR cidrmatch("169.254.0.0/16",Dst_Addr) )

View solution in original post

Reply
Solved! Jump to solution

Marklar
Splunk Employee
Splunk Employee
‎01-22-2010 09:57 PM

We also allow the CIDR syntax in a search field comparison, so you could enter something simple like this in the search bar:

Src_Zone=172.16.0.0/16

This works for '=' and '!=', and you can still use the search boolean operators.

Reply
Solved! Jump to solution

hulahoop
Splunk Employee
Splunk Employee
‎01-28-2010 02:16 AM

It is very sweet. Thank you, Marklar! So my IP range searches now are even shorter. I've even defined macros so my searches are super short, too:

For outbound traffic:

( Src_Addr=10.0.0.0/8 OR Src_Addr=172.16.0.0/12 OR Src_Addr=192.168.0.0/16 OR Src_Addr=169.254.0.0/16 ) AND ( Dst_Addr!=10.0.0.0/8 AND Dst_Addr!=172.16.0.0/12 AND Dst_Addr!=192.168.0.0/16 AND Dst_Addr!=169.254.0.0/16 AND Dst_Addr!=65.194.243.* AND Dst_Addr!=216.52.215.* )

0 Karma
Reply
Solved! Jump to solution

Johnvey
Contributor
‎01-22-2010 10:51 PM

That's pretty sweet.

Reply
Solved! Jump to solution
Solution

hulahoop
Splunk Employee
Splunk Employee
‎01-22-2010 01:52 AM

Many thanks, V!

For the scenario above, this is how your answer was applied:

... | where cidrmatch("10.0.0.0/8",Src_Addr) OR cidrmatch("172.16.0.0/12",Src_Addr) OR cidrmatch("192.168.0.0/16",Src_Addr) OR cidrmatch("169.254.0.0/16",Src_Addr)

Who knew the Splunk search language is so powerful. 😉 This is much simpler!

For the curious, here is further supporting information:

It is especially helpful to know the where and eval commands support booleans. For example, to solve the more difficult case of

Src_Zone!=<in the private zone> AND Dst_Zone=<in the private zone>

simply apply the NOT and AND boolean operators:

... | where NOT ( cidrmatch("10.0.0.0/8",Src_Addr) OR cidrmatch("172.16.0.0/12",Src_Addr) OR cidrmatch("192.168.0.0/16",Src_Addr) OR cidrmatch("169.254.0.0/16",Src_Addr) ) AND
( cidrmatch("10.0.0.0/8",Dst_Addr) OR cidrmatch("172.16.0.0/12",Dst_Addr) OR cidrmatch("192.168.0.0/16",Dst_Addr) OR cidrmatch("169.254.0.0/16",Dst_Addr) )

Reply
Solved! Jump to solution

V_at_Splunk
Splunk Employee
Splunk Employee
‎01-21-2010 10:20 PM

Take a look at cidrmatch, in http://www.splunk.com/base/Documentation/4.0.8/SearchReference/CommonEvalFunctions. You can use it with WHERE, that should simplify things.

Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...