Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to count/map internal traffic for a range of IP addresses?

splunknewby
Path Finder
‎07-08-2015 09:48 PM

I have the following fields within splunk: srcaddr and dstaddr, and I would like to map the number of internal to internal connections. I.e all internal traffic from srcaddr to any dstaddr on the IPs 10.0.0.0/8 and 198.168.0.0/16.

How would I filter for and compare these variables?

Cheers.

Tags (3)
0 Karma
Reply

acharlieh
Influencer
‎07-09-2015 05:55 AM

First we need to find the internal to internal connections. One way we can do this with the cidrmatch function in a where command like so:

base search | where (cidrmatch("10.0.0.0/8",srcaddr) OR cidrmatch("192.168.0.0/16", srcaddr)) AND (cidrmatch("10.0.0.0/8",dstaddr) OR cidrmatch("192.168.0.0/16", dstaddr))

Now I'm not sure what you mean by map the number of connections exactly, but from here you could then add a | stats count to get the count of internal to internal connections, or do any other statistical function. (If you could clarify more of what you want I could have a better recommendation)

Reply

splunknewby
Path Finder
‎07-09-2015 07:07 PM

Hi acharlieh, I've tried using cidrmatch(), but I don't get any hits for the following index = main | where cidrmatch("192.168.0.0/16",srcaddr), even though there is data with IP addresses in that range under the main index.

Using where like(srcaddr,"192.168.%") returns results, but doesn't seem to be the best solution.

Also, yes I want to essentially get a count of all internal to internal connections.

0 Karma
Reply

acharlieh
Influencer
‎07-09-2015 08:16 PM

I wonder if the extraction for srcaddr has a trailing space in it... compare the output of these queries: 

| noop | stats count | eval srcaddr="192.168.12.1 " | where like(srcaddr,"192.168.%")

| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",srcaddr)

| noop | stats count | eval srcaddr="192.168.12.1 " | where cidrmatch("192.168.0.0/16",trim(srcaddr))

| noop | stats count | eval srcaddr="192.168.12.1" | where cidrmatch("192.168.0.0/16",srcaddr)
Reply

splunknewby
Path Finder
‎07-09-2015 09:45 PM

Could the issue be that the srcaddr is being saved as a string?

Is there a way to force Splunk to save the two fields srcaddr and dstadd as IPs?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | When is October more than just the tenth month?

October 2025 Edition  Hayyy Splunk Education Enthusiasts and the Eternally Curious!   We’re back with this ...

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

What’s New & Next in Splunk SOAR

 Security teams today are dealing with more alerts, more tools, and more pressure than ever.  Join us for an ...