How to write a query to check IP addresses in Subn...

POR160893 · ‎06-01-2023

Hi,

I am trying to establish a query that checks whether a random src IP is in a specific subnet.

However, all the subnets and IP addresses are in String format and I am unable to establish any mathematical relationship between the conditions.

Here is a part of my current query:

| inputlookup ABC.csv
| eval ip = 10.1.2.342

| eval AMERICAS =if(ip >= 10.0.0.1 OR ip <= 10.63.255.254,"NOK","OK")

| table AMERICAS

Can you please help?

Many thanks as always,

isoutamo · ‎06-01-2023

Hi

I expecting that your ip is like "10.1.2.34" not "10.1.2.342" and you have e.g. subnets 10.0.0.0 - 10.63.255.255 defined for America. Then you can check it like

| eval ip = "10.1.2.34", subnet = "10.0.0.0/10"
| eval AMERICAS = if (cidrmatch(subnet,ip), "OK", "NOK")

If your subnets are not exactly dived by suitable masks, you need to add needed smaller subnets and combine this if with several OR clauses.

r. Ismo

ITWhisperer · ‎06-01-2023

If your subnets are in CIDR format, you can use the cidrmatch() function

How to write a query to check IP addresses in Subnets?

chart

eval

search job inspector

stats

table

Community Content Calendar, November Edition

October Community Champions: A Shoutout to Our Contributors!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

How to write a query to check IP addresses in Subnets?