Splunk Search
Highlighted

Is it possible to do a CIDR match in a tstats where clause?

Path Finder

Is it possible to match IP address range in tstats where clause?

Example:
It's possible to do this with search+stats:

index=test IP="10.1.1.0/25" | stats count by IP

But since we have IP extracted at index time, I'd rather take advantage of tstats performance and run something like

| tstats count where index=test IP="10.1.1.0/25" by IP

but that doesn't work as expected - tstats matches any IP as if the filter was IP="*"
Ideas?

0 Karma
Highlighted

Re: Is it possible to do a CIDR match in a tstats where clause?

Legend

I think that you already used the tscollect (eg.g. in test_stats) command before use tstats, something like this

   index=test earliest=-30d latest=now | table _time IP field1 field2 field3 ... | tscollect test_stats

so the command could be:

  | tstats count FROM tests_stats GROUPBY IP

Bye.
Giuseppe

Highlighted

Re: Is it possible to do a CIDR match in a tstats where clause?

Legend

if you're satisfied of the answer, please, accept the answer.
Bye.
Giuseppe

0 Karma
Highlighted

Re: Is it possible to do a CIDR match in a tstats where clause?

Path Finder

I downvoted this post because:
Sorry, can't accept. your reply doesn't answer my question:
1. your assumption that I've used '| tscollect' is incorrect
2. '| tstats ... ' you proposed misses the point of returning only ips in a specific range

0 Karma
Highlighted

Re: Is it possible to do a CIDR match in a tstats where clause?

SplunkTrust
SplunkTrust

tstats is not CIDR aware for where clauses. Sorry 😞

Highlighted

Re: Is it possible to do a CIDR match in a tstats where clause?

Path Finder

Apparently this is no longer true in Splunk v.7.x.
Thanks to @woodcock for pointing this out

0 Karma
Highlighted

Re: Is it possible to do a CIDR match in a tstats where clause?

Esteemed Legend

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

View solution in original post