Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count/map internal traffic for a range of IP addresses?

splunknewby
Path Finder
‎07-08-2015 09:48 PM

I have the following fields within splunk: srcaddr and dstaddr, and I would like to map the number of internal to internal connections. I.e all internal traffic from srcaddr to any dstaddr on the IPs 10.0.0.0/8 and 198.168.0.0/16.

How would I filter for and compare these variables?

Cheers.

Tags (3)
0 Karma
Reply

acharlieh
Influencer
‎07-09-2015 05:55 AM

First we need to find the internal to internal connections. One way we can do this with the cidrmatch function in a where command like so:

base search | where (cidrmatch("10.0.0.0/8",srcaddr) OR cidrmatch("192.168.0.0/16", srcaddr)) AND (cidrmatch("10.0.0.0/8",dstaddr) OR cidrmatch("192.168.0.0/16", dstaddr))

Now I'm not sure what you mean by map the number of connections exactly, but from here you could then add a | stats count to get the count of internal to internal connections, or do any other statistical function. (If you could clarify more of what you want I could have a better recommendation)

Reply

splunknewby
Path Finder
‎07-09-2015 07:07 PM

Hi acharlieh, I've tried using cidrmatch(), but I don't get any hits for the following index = main | where cidrmatch("192.168.0.0/16",srcaddr), even though there is data with IP addresses in that range under the main index.

Using where like(srcaddr,"192.168.%") returns results, but doesn't seem to be the best solution.

Also, yes I want to essentially get a count of all internal to internal connections.

0 Karma
Reply

acharlieh
Influencer
‎07-09-2015 08:16 PM

I wonder if the extraction for srcaddr has a trailing space in it... compare the output of these queries: 

| noop | stats count | eval srcaddr="192.168.12.1 " | where like(srcaddr,"192.168.%")

| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",srcaddr)

| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",trim(srcaddr))

| noop | stats count | eval srcaddr="192.168.12.1" | where cidrmatch("192.168.0.0/16",srcaddr)
Reply

splunknewby
Path Finder
‎07-09-2015 09:45 PM

Could the issue be that the srcaddr is being saved as a string?

Is there a way to force Splunk to save the two fields srcaddr and dstadd as IPs?

0 Karma
Reply
Get Updates on the Splunk Community!

Community Content Calendar, November Edition

Welcome to the November edition of our Community Spotlight! Each month, we dive into the Splunk Community to ...

October Community Champions: A Shoutout to Our Contributors!

As October comes to a close, we want to take a moment to celebrate the people who make the Splunk Community ...

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

What are Community Office Hours? Community Office Hours is an interactive 60-minute Zoom series where ...