Splunk Search

How to search across all my data for any public IP addresses?


Hello all,

I've been hoping to play around with some of the iplocation functionality and see if I could leverage it somehow, so I rooted around and found that most of my data is private addresses. That was to be expected, but as I dig around, I cannot seem to find any public addresses at all.

From there I thought it would be fairly simple to do a search across all my data for any public address, or at the very least any non-private (weed out the smaller set). It turns out that I cannot find an easy way of doing this. Regex sounds like it would be a good approach, but that alone as proven to be more complex than expected.

Since I'm looking to find a public IP in any location, which means I'm not specifying a source, sourcetype, or field. So I'm either using _raw with regex or index=* searches for IP addresses. Without regex, it becomes a bit of a bear because doing a NOT search without specifying a field (which I do not know) removes the whole event, which may also contain a public address.

I've found a couple regex online that match RFC 1918 addresses, but most use the /m flag in regex101 (m modifier: multi-line. Causes ^ and $ to match the begin/end of each line) which it looks like splunk does not use.

I'm currently using this:

index=*| regex _raw="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | search src_ip!=10.* src_ip!=127.* src_ip!=172.16.* src_ip!=::ffff:10* src_ip.!=::ffff:127.* src_ip!=::fff:172.16.*

Ideally I'd not have to specify a field, as I said previously, but my current approach is to pair down the data with specific qualifiers until I either find what I'm looking for or run out of data.

I very well may not have any public addresses in the data I'm using!

Any suggestions for this problem?

0 Karma


Just adding to pgreer's answer

| makeresults 
| eval ip_list=",,,,,"
| makemv ip_list delim="," 
| mvexpand ip_list
| eval ip_type = case(match('ip_list',"172.(1[6-9].|2[0-9].|3[0-1].)[0-9]{1,3}.[0-9]{1,3}"),"1_private",match('ip_list',"(10.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"),"1_private",match('ip_list',"(192.168.[0-9]{1,3}.[0-9]{1,3})"),"1_private",match('ip_list',"(127.[0-9]{1,3}.[0-9]{1,3}.[0-9]{1,3})"),"3_loopback",match('ip_list',"(169.254.[0-9]{1,3}.[0-9]{1,3})"),"2_apipa",1=1,"0_public")
| sort ip_type ip_list

Splunk Employee
Splunk Employee

Maybe the regex's below might help in being more specific to just public ranges?



Maybe that might find some matches for your initial regex against _raw events.

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!