Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count/map internal traffic for a range of IP addresses?

splunknewby
Path Finder
‎07-08-2015 09:48 PM

I have the following fields within splunk: srcaddr and dstaddr, and I would like to map the number of internal to internal connections. I.e all internal traffic from srcaddr to any dstaddr on the IPs 10.0.0.0/8 and 198.168.0.0/16.

How would I filter for and compare these variables?

Cheers.

Tags (3)
0 Karma
Reply

acharlieh
Influencer
‎07-09-2015 05:55 AM

First we need to find the internal to internal connections. One way we can do this with the cidrmatch function in a where command like so:

base search | where (cidrmatch("10.0.0.0/8",srcaddr) OR cidrmatch("192.168.0.0/16", srcaddr)) AND (cidrmatch("10.0.0.0/8",dstaddr) OR cidrmatch("192.168.0.0/16", dstaddr))

Now I'm not sure what you mean by map the number of connections exactly, but from here you could then add a | stats count to get the count of internal to internal connections, or do any other statistical function. (If you could clarify more of what you want I could have a better recommendation)

Reply

splunknewby
Path Finder
‎07-09-2015 07:07 PM

Hi acharlieh, I've tried using cidrmatch(), but I don't get any hits for the following index = main | where cidrmatch("192.168.0.0/16",srcaddr), even though there is data with IP addresses in that range under the main index.

Using where like(srcaddr,"192.168.%") returns results, but doesn't seem to be the best solution.

Also, yes I want to essentially get a count of all internal to internal connections.

0 Karma
Reply

acharlieh
Influencer
‎07-09-2015 08:16 PM

I wonder if the extraction for srcaddr has a trailing space in it... compare the output of these queries: 

| noop | stats count | eval srcaddr="192.168.12.1 " | where like(srcaddr,"192.168.%")

| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",srcaddr)

| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",trim(srcaddr))

| noop | stats count | eval srcaddr="192.168.12.1" | where cidrmatch("192.168.0.0/16",srcaddr)
Reply

splunknewby
Path Finder
‎07-09-2015 09:45 PM

Could the issue be that the srcaddr is being saved as a string?

Is there a way to force Splunk to save the two fields srcaddr and dstadd as IPs?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...

Splunk MCP & Agentic AI: Machine Data Without Limits

Discover how the Splunk Model Context Protocol (MCP) Server can revolutionize the way your organization uses ...