Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

SPL for adding /32 to all addresses returned in a search

ptrsnk
Explorer
‎03-03-2024 04:01 PM

Hello,

I am running a search that is returning IP addresses that are being sent to a waf (web access firewall).  The waf requires all IP addresses to be written in CIDR notation.  I am just returning single IPs ,so I have to add a /32 to each address that I submit.

I am using the stats command, looking at different parameters and them counting by IP to provide the list I am submitting.  It seems like it should be straight forward using concatenation, but I haven't been able to get to a solution.

eval  cidr_address=remoteIP + "/32" and varieties  of this approach(casting to string etc)  haven't worked. 

Appreciate any help anyone can provide.

 

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ptrsnk
Explorer
‎03-03-2024 06:38 PM

 

I couldn't get "cird_address=remoteIP ."/32"" to work in my search. I created a more simple search and it worked fine.  Your suggestion was correct.  I need to do more work on my search.

Thanks for your help!

 

Peter

 

View solution in original post

0 Karma
Reply
Solved! Jump to solution

richgalloway
SplunkTrust
SplunkTrust
‎03-03-2024 05:11 PM

Have you tried using the other concatenation operator - dot vs plus?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

ptrsnk
Explorer
‎03-03-2024 06:04 PM

Yes I tried the .(dot)

| eval  cird_address=remoteIP ./32
Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '/32'.

| eval  cird_address=remoteIP ."/32"

This one does NOT show  an error, but i get no results.   Maybe there is something farther down in the search that's not correct.

I check that and respond again.

Thanks for your sugestion

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ptrsnk
Explorer
‎03-03-2024 06:38 PM

 

I couldn't get "cird_address=remoteIP ."/32"" to work in my search. I created a more simple search and it worked fine.  Your suggestion was correct.  I need to do more work on my search.

Thanks for your help!

 

Peter

 

0 Karma
Reply
Solved! Jump to solution

jotne
Builder
‎03-03-2024 09:57 PM

You should accept ptrsnks answer not your reply.

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...