Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to pipe REX sequence related to host network?

null0
New Member
‎06-22-2018 10:36 AM

Hello,
this threat to find a solution to this problem: i have many network as

(host=10.29.4.*)

not /24 but subnetted with

|rex field=host "10.29.4.(?\d{1,3})" | where range>=48 AND range<=63 ->/27

so.. how to concatenate, eg.:

(host=10.29.4.*) OR (host=10.29.10.*)
|rex field=host  "10\.29\.4\.(?<range>\d{1,3})" | where range>=48 AND range<=63
|rex field=host  "10\.29\.10\.(?<range>\d{1,3})" | where range>=0 AND range<=63

Many thanks

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-22-2018 12:03 PM

Try this:

(host=10.29.4.*) OR (host=10.29.10.*) 
| rex field=host "10\.29\.4\.(?<range_10_29_4>\d{1,3})" 
| rex field=host "10\.29\.10\.(?<range_10_29_10>\d{1,3})" 
| where (range_10_29_4 >= 48 AND range_10_29_4 <= 63) OR (range_10_29_10 >= 0 AND range_10_29_10 <= 63) 
| eval range=coalesce(range_10_29_4, range_10_29_10)

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-22-2018 12:03 PM

Try this:

(host=10.29.4.*) OR (host=10.29.10.*) 
| rex field=host "10\.29\.4\.(?<range_10_29_4>\d{1,3})" 
| rex field=host "10\.29\.10\.(?<range_10_29_10>\d{1,3})" 
| where (range_10_29_4 >= 48 AND range_10_29_4 <= 63) OR (range_10_29_10 >= 0 AND range_10_29_10 <= 63) 
| eval range=coalesce(range_10_29_4, range_10_29_10)
0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-22-2018 11:38 AM

Are you trying to get the field range to be a combined list of IPs from both rex statements?

0 Karma
Reply
Solved! Jump to solution

kmorris_splunk
Splunk Employee
Splunk Employee
‎06-22-2018 11:50 AM

I meant to say a list of all of the range values, not IPs.

0 Karma
Reply
Solved! Jump to solution

null0
New Member
‎06-22-2018 12:00 PM

i think it's hard because "range" value is a kind of consequence of network-fields that comes before (eg: 10.29.10.xxxx)

i'm not really skilled, sorry 😉

0 Karma
Reply
Solved! Jump to solution

null0
New Member
‎06-22-2018 11:49 AM

hi kmorris, nope, no combined list in field range.
i sincerly dont know how to do it.. do you have any hint?

bear i mind that i've totally 23 |rex filters related to as many networks

0 Karma
Reply
Get Updates on the Splunk Community!

Aligning Observability Costs with Business Value: Practical Strategies

 Join us for an engaging Tech Talk on Aligning Observability Costs with Business Value: Practical ...

Mastering Data Pipelines: Unlocking Value with Splunk

 In today's AI-driven world, organizations must balance the challenges of managing the explosion of data with ...

Splunk Up Your Game: Why It's Time to Embrace Python 3.9+ and OpenSSL 3.0

Did you know that for Splunk Enterprise 9.4, Python 3.9 is the default interpreter? This shift is not just a ...