Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to use the cidrmatch() function with IPV6 IP addresses?

fdi01
Motivator
‎04-14-2015 12:06 AM

The cidrmatch() function is used to identify IP addresses that belong to a particular subnet. How do I use it with IPV6 IP addresses? Syntax?

thanks

Tags (4)
Reply
1 Solution
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎04-14-2015 02:03 AM

Hello! I Firs i suggest that you follow this doc: https://blog.icann.org/wp-content/uploads/2010/07/ipv6-address-types.pdf
Then, for example to use the cidrmatch() for 2001:0000:4136:e378:8000:63bf:3fff:fdd2 address, you can just do something like this:

........... | eval network=if(cidrmatch("2001:0000::/32",clientip), "local", "other")

which compare the IP addresses in the clientip field to a subnet range, and give the value local to the network if the value of clientip falls in the subnet range, Otherwise, network=other.

SGF

View solution in original post

Reply
Solved! Jump to solution
Solution

stephanefotso
Motivator
‎04-14-2015 02:03 AM

Hello! I Firs i suggest that you follow this doc: https://blog.icann.org/wp-content/uploads/2010/07/ipv6-address-types.pdf
Then, for example to use the cidrmatch() for 2001:0000:4136:e378:8000:63bf:3fff:fdd2 address, you can just do something like this:

........... | eval network=if(cidrmatch("2001:0000::/32",clientip), "local", "other")

which compare the IP addresses in the clientip field to a subnet range, and give the value local to the network if the value of clientip falls in the subnet range, Otherwise, network=other.

SGF
Reply
Solved! Jump to solution

fdi01
Motivator
‎04-14-2015 02:23 AM

thank you but does not work .
i try like that:
| eval network=if(cidrmatch("2001:0000::/32",2001:0000:4136:e378:8000:63bf:3fff:fdd2), "local", "other")
but no isue. and i have this error:
Error in 'eval' command: The expression is malformed. Expected ).

0 Karma
Reply
Solved! Jump to solution

stephanefotso
Motivator
‎04-14-2015 06:13 AM

you don't need to test like this. My query suppose that you have a field named clientip, with IPV6 IP addresses in your events. To test with a value of clientip try this:

  your base search  | eval network=if(cidrmatch("2001:0000::/32","2001:0000:4136:e378:8000:63bf:3fff:fdd2"), "local", "other")

I think it will work

SGF
Reply
Solved! Jump to solution

fdi01
Motivator
‎04-14-2015 06:18 AM

it work fine Mr stephanefotso is it cool

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...