Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count/map internal traffic for a range of IP addresses?

splunknewby
Path Finder
‎07-08-2015 09:48 PM

I have the following fields within splunk: srcaddr and dstaddr, and I would like to map the number of internal to internal connections. I.e all internal traffic from srcaddr to any dstaddr on the IPs 10.0.0.0/8 and 198.168.0.0/16.

How would I filter for and compare these variables?

Cheers.

Tags (3)
0 Karma
Reply

acharlieh
Influencer
‎07-09-2015 05:55 AM

First we need to find the internal to internal connections. One way we can do this with the cidrmatch function in a where command like so:

base search | where (cidrmatch("10.0.0.0/8",srcaddr) OR cidrmatch("192.168.0.0/16", srcaddr)) AND (cidrmatch("10.0.0.0/8",dstaddr) OR cidrmatch("192.168.0.0/16", dstaddr))

Now I'm not sure what you mean by map the number of connections exactly, but from here you could then add a | stats count to get the count of internal to internal connections, or do any other statistical function. (If you could clarify more of what you want I could have a better recommendation)

Reply

splunknewby
Path Finder
‎07-09-2015 07:07 PM

Hi acharlieh, I've tried using cidrmatch(), but I don't get any hits for the following index = main | where cidrmatch("192.168.0.0/16",srcaddr), even though there is data with IP addresses in that range under the main index.

Using where like(srcaddr,"192.168.%") returns results, but doesn't seem to be the best solution.

Also, yes I want to essentially get a count of all internal to internal connections.

0 Karma
Reply

acharlieh
Influencer
‎07-09-2015 08:16 PM

I wonder if the extraction for srcaddr has a trailing space in it... compare the output of these queries: 

| noop | stats count | eval srcaddr="192.168.12.1 " | where like(srcaddr,"192.168.%")

| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",srcaddr)

| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",trim(srcaddr))

| noop | stats count | eval srcaddr="192.168.12.1" | where cidrmatch("192.168.0.0/16",srcaddr)
Reply

splunknewby
Path Finder
‎07-09-2015 09:45 PM

Could the issue be that the srcaddr is being saved as a string?

Is there a way to force Splunk to save the two fields srcaddr and dstadd as IPs?

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...