Splunk Search

SPL for adding /32 to all addresses returned in a search

ptrsnk
Explorer

Hello,

I am running a search that is returning IP addresses that are being sent to a waf (web access firewall).  The waf requires all IP addresses to be written in CIDR notation.  I am just returning single IPs ,so I have to add a /32 to each address that I submit.

I am using the stats command, looking at different parameters and them counting by IP to provide the list I am submitting.  It seems like it should be straight forward using concatenation, but I haven't been able to get to a solution.

eval  cidr_address=remoteIP + "/32" and varieties  of this approach(casting to string etc)  haven't worked. 

Appreciate any help anyone can provide.

 

Labels (1)
Tags (1)
0 Karma
1 Solution

ptrsnk
Explorer

 

I couldn't get "cird_address=remoteIP ."/32"" to work in my search. I created a more simple search and it worked fine.  Your suggestion was correct.  I need to do more work on my search.

Thanks for your help!

 

Peter

 

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried using the other concatenation operator - dot vs plus?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ptrsnk
Explorer

Yes I tried the .(dot)

| eval  cird_address=remoteIP ./32
Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '/32'.

| eval  cird_address=remoteIP ."/32"

This one does NOT show  an error, but i get no results.   Maybe there is something farther down in the search that's not correct.

I check that and respond again.

Thanks for your sugestion

 

 

0 Karma

ptrsnk
Explorer

 

I couldn't get "cird_address=remoteIP ."/32"" to work in my search. I created a more simple search and it worked fine.  Your suggestion was correct.  I need to do more work on my search.

Thanks for your help!

 

Peter

 

0 Karma

jotne
Builder

You should accept ptrsnks answer not your reply.

0 Karma
Get Updates on the Splunk Community!

Stay Connected: Your Guide to July and August Tech Talks, Office Hours, and Webinars!

Dive into our sizzling summer lineup for July and August Community Office Hours and Tech Talks. Scroll down to ...

Edge Processor Scaling, Energy & Manufacturing Use Cases, and More New Articles on ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Get More Out of Your Security Practice With a SIEM

Get More Out of Your Security Practice With a SIEMWednesday, July 31, 2024  |  11AM PT / 2PM ETREGISTER ...