Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

IPv6 subnet as search parameter does not work (but IPv4 does!)

npichugin
Path Finder
‎08-09-2013 12:31 AM

Hello,

Let's say I'm trying to search for events where src_ip field matches some subnet:

search index=myindex src_ip="1.2.0.0/16"

This works perfectly. Now I want to run a similar search, but for IPv6 subnet:

search index=myindex src_ip6="1234:5678::/32"

This does NOT work. However, cidrmatch() function in "where" command works for both IPv4 and IPv6, so I consider search behaviour described above to be a bug.
Is this a known issue for Splunk developers? Is there a way to workaround this without using cidrmatch()?

P.S. Is it OK to report bugs here at splunkbase? I didn't found the Splunk bugtracker...

Tags (4)
Reply

_d_
Splunk Employee
Splunk Employee
‎08-24-2013 06:33 PM

While lookups and the cidrmatch function work with IPv6 CIDR notation, a direct search (similar to your first one with IPv4) does not. It is a known internal requirement that will be tentatively solved in a future release.

Reply

npichugin
Path Finder
‎08-25-2013 11:23 PM

Thanks for clarifying!

0 Karma
Reply

npichugin
Path Finder
‎08-09-2013 02:53 AM

Thank you very much! I'll file this issue there.

0 Karma
Reply

martin_mueller
SplunkTrust
SplunkTrust
‎08-09-2013 02:49 AM

Reporting suspected bugs here is quite okay, the more direct approach would be to submit a case here: https://www.splunk.com/page/submit_issue

0 Karma
Reply
Take the 2021 Splunk Career Survey

Help us learn about how Splunk has
impacted your career by taking the 2021 Splunk Career Survey.

Earn $50 in Amazon cash!

Get Updates on the Splunk Community!