Re: How to search for a range of IP addresses (exa...

kmulcahy · ‎11-02-2016

Does anyone know the criteria to search for a range of IP address under the following conditions.

I want to narrow the results down to IP addresses that fall within 10.10.10.32 - 10.10.10.96 or say 10.10.10.1 - 10.10.10.128.

I've used the regex _ip="10.10.10.(3[0-9])" and got successful results for addresses in 10.10.10.30-39. But how can I do what I'm asking above.

Any help is greatly appreciated.

Thanks

logloganathan · ‎03-02-2018

your query | rex field=_raw "10.10.10.(?\d{1,3})" | where range >=32 AND range<=96

for the IP range 10.10.10.32 - 10.10.10.96

your query | rex field=_raw "10.10.10.(?\d{1,3})" | where range >=1 AND range<=128

for the IP range 10.10.10.1 - 10.10.10.128

aaraneta_splunk · ‎11-18-2016

@kmulcahy - Did any of the below answers help you out? If yes, please don't forget to click "Accept" below the best answer. If no, please leave a comment with some additional feedback. Thanks!

gokadroid · ‎11-02-2016

If all you need is a range comparison on "10.10.10.xxx" what you could do is extract the range and compare on it as:

10.10.10.32 - 10.10.10.96

yourBaseQuery to give you ips
| rex "10\.10\.10\.(?<range>\d{1,3})"
| where range >=32 AND range<=96
| complete your Query

or similarly for 1-128

If you want more dynamic ips then that can be regexed too like below as long as you keep track of those range numbers

yourBaseQuery to give you ips
| rex "\d{1,3}\.\d{1,3}\.\d{1,3}\.(?<range>\d{1,3})"
| where range >=32 AND range<=96
| complete your Query

LCM_BRogerson · ‎11-02-2016

CIDR notation might be what you're looking for

 _ip=10.10.10.32/27 OR _ip=10.10.10.64/27 OR _ip=10.10.10.96

would give you a range of 10.10.10.32-10.10.10.96. Or you expand the regex to something like

regex _ip="10.10.10.(3[2-9]|[4-8][0-9]|9[0-6])"

DalJeanis · ‎03-02-2018

@LCM_BRogerson, @kmulcahy -

That regex would also match "10X10Q10!39". The periods need to be escaped, or they will match any character.

 | regex _ip="10\.10\.10\.(3[2-9]|[4-8][0-9]|9[0-6])"

logloganathan · ‎03-02-2018

I downvoted this post because not properly explained

ppablo · ‎03-02-2018

Hi @logloganathan

Downvoting should only be reserved for suggestions/solutions that could be potentially harmful for a Splunk environment or goes completely against known best practices. Simply commenting with constructive feedback on the post you are concerned with will be more beneficial for the community to learn from.

Some of the most active members in Answers have helped set the standard of how voting etiquette should work in the Splunk community which distinguishes our culture apart from other Q&A forums. Upvote early and often to give credit where it’s due for high quality posts, comment where you think feedback needs to be given, and only downvote if something potentially dangerous is suggested or people are just being inappropriate.

If you’re interested in seeing how this voting etiquette was developed, check out this Splunk Answers post: https://answers.splunk.com/answers/244111/proper-etiquette-and-timing-for-voting-here-on-ans.html

How to search for a range of IP addresses (example: 10.10.10.32 through 10.10.10.96)?

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever

Are you a member of the Splunk Community?

How to search for a range of IP addresses (example: 10.10.10.32 through 10.10.10.96)?

Thanks for the Memories! Splunk University, .conf25, and our Community

Data Persistence in the OpenTelemetry Collector

Introducing Splunk 10.0: Smarter, Faster, and More Powerful Than Ever