Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Is it possible to do a CIDR match in a tstats where clause?

IgorB
Path Finder
‎07-11-2016 03:25 PM

Is it possible to match IP address range in tstats where clause?

Example:
It's possible to do this with search+stats: 

index=test IP="10.1.1.0/25" | stats count by IP

But since we have IP extracted at index time, I'd rather take advantage of tstats performance and run something like 

| tstats count where index=test IP="10.1.1.0/25" by IP

but that doesn't work as expected - tstats matches any IP as if the filter was IP="*"
Ideas?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2019 10:39 AM

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

View solution in original post

Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2019 10:39 AM

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

Reply
Solved! Jump to solution

astatrial
Contributor
‎09-03-2020 01:28 AM

Is the negative form suppose to work as well? 

 

For example:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src!="10.0.0.0/8"

 

Tags (1)
0 Karma
Reply
Solved! Jump to solution

dshpritz
SplunkTrust
SplunkTrust
‎12-21-2016 07:45 AM

tstats is not CIDR aware for where clauses. Sorry 😞

Reply
Solved! Jump to solution

IgorB
Path Finder
‎06-25-2019 12:17 PM

Apparently this is no longer true in Splunk v.7.x.
Thanks to @woodcock for pointing this out

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎07-12-2016 12:02 AM

I think that you already used the tscollect (eg.g. in test_stats) command before use tstats, something like this

   index=test earliest=-30d latest=now | table _time IP field1 field2 field3 ... | tscollect test_stats

so the command could be:

  | tstats count FROM tests_stats GROUPBY IP

Bye.
Giuseppe

Reply
Solved! Jump to solution

IgorB
Path Finder
‎09-12-2016 07:48 AM

I downvoted this post because:
Sorry, can't accept. your reply doesn't answer my question:
1. your assumption that I've used '| tscollect' is incorrect
2. '| tstats ... ' you proposed misses the point of returning only ips in a specific range

0 Karma
Reply
Solved! Jump to solution

gcusello
SplunkTrust
SplunkTrust
‎09-09-2016 04:06 AM

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...