Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

How to write a query to check IP addresses in Subnets?

POR160893
Builder
‎06-01-2023 02:52 AM

Hi,

I am trying to establish a query that checks whether a random src IP is in a specific subnet.

However, all the subnets and IP addresses are in String format and I am unable to establish any mathematical relationship between the conditions.

Here is a part of my current query:

| inputlookup ABC.csv
| eval ip = 10.1.2.342

| eval AMERICAS =if(ip >= 10.0.0.1 OR ip <= 10.63.255.254,"NOK","OK")

| table AMERICAS

 

Can you please help?

Many thanks as always,

Labels (5)
0 Karma
Reply

isoutamo
SplunkTrust
SplunkTrust
‎06-01-2023 05:45 AM

Hi

I expecting that your ip is like "10.1.2.34" not "10.1.2.342" and you have e.g. subnets 10.0.0.0 - 10.63.255.255 defined for America. Then you can check it like

| eval ip = "10.1.2.34", subnet = "10.0.0.0/10"
| eval AMERICAS = if (cidrmatch(subnet,ip), "OK", "NOK")

If your subnets are not exactly dived by suitable masks, you need to add needed smaller subnets and combine this if with several OR clauses.

r. Ismo 

0 Karma
Reply

ITWhisperer
SplunkTrust
SplunkTrust
‎06-01-2023 03:30 AM

If your subnets are in CIDR format, you can use the cidrmatch() function

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...