Splunk Search

How to pipe REX sequence related to host network?

null0
New Member

Hello,
this threat to find a solution to this problem: i have many network as

(host=10.29.4.*)

not /24 but subnetted with

|rex field=host "10.29.4.(?\d{1,3})" | where range>=48 AND range<=63 ->/27

so.. how to concatenate, eg.:

(host=10.29.4.*) OR (host=10.29.10.*)
|rex field=host  "10\.29\.4\.(?<range>\d{1,3})" | where range>=48 AND range<=63
|rex field=host  "10\.29\.10\.(?<range>\d{1,3})" | where range>=0 AND range<=63

Many thanks

0 Karma
1 Solution

kmorris_splunk
Splunk Employee
Splunk Employee

Try this:

(host=10.29.4.*) OR (host=10.29.10.*) 
| rex field=host "10\.29\.4\.(?<range_10_29_4>\d{1,3})" 
| rex field=host "10\.29\.10\.(?<range_10_29_10>\d{1,3})" 
| where (range_10_29_4 >= 48 AND range_10_29_4 <= 63) OR (range_10_29_10 >= 0 AND range_10_29_10 <= 63) 
| eval range=coalesce(range_10_29_4, range_10_29_10)

View solution in original post

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Try this:

(host=10.29.4.*) OR (host=10.29.10.*) 
| rex field=host "10\.29\.4\.(?<range_10_29_4>\d{1,3})" 
| rex field=host "10\.29\.10\.(?<range_10_29_10>\d{1,3})" 
| where (range_10_29_4 >= 48 AND range_10_29_4 <= 63) OR (range_10_29_10 >= 0 AND range_10_29_10 <= 63) 
| eval range=coalesce(range_10_29_4, range_10_29_10)
0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

Are you trying to get the field range to be a combined list of IPs from both rex statements?

0 Karma

kmorris_splunk
Splunk Employee
Splunk Employee

I meant to say a list of all of the range values, not IPs.

0 Karma

null0
New Member

i think it's hard because "range" value is a kind of consequence of network-fields that comes before (eg: 10.29.10.xxxx)

i'm not really skilled, sorry 😉

0 Karma

null0
New Member

hi kmorris, nope, no combined list in field range.
i sincerly dont know how to do it.. do you have any hint?

bear i mind that i've totally 23 |rex filters related to as many networks

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...