Splunk Search

SPL for adding /32 to all addresses returned in a search

ptrsnk
Explorer

Hello,

I am running a search that is returning IP addresses that are being sent to a waf (web access firewall).  The waf requires all IP addresses to be written in CIDR notation.  I am just returning single IPs ,so I have to add a /32 to each address that I submit.

I am using the stats command, looking at different parameters and them counting by IP to provide the list I am submitting.  It seems like it should be straight forward using concatenation, but I haven't been able to get to a solution.

eval  cidr_address=remoteIP + "/32" and varieties  of this approach(casting to string etc)  haven't worked. 

Appreciate any help anyone can provide.

 

Labels (1)
Tags (1)
0 Karma
1 Solution

ptrsnk
Explorer

 

I couldn't get "cird_address=remoteIP ."/32"" to work in my search. I created a more simple search and it worked fine.  Your suggestion was correct.  I need to do more work on my search.

Thanks for your help!

 

Peter

 

View solution in original post

0 Karma

richgalloway
SplunkTrust
SplunkTrust

Have you tried using the other concatenation operator - dot vs plus?

---
If this reply helps you, Karma would be appreciated.
0 Karma

ptrsnk
Explorer

Yes I tried the .(dot)

| eval  cird_address=remoteIP ./32
Error in 'EvalCommand': The expression is malformed. An unexpected character is reached at '/32'.

| eval  cird_address=remoteIP ."/32"

This one does NOT show  an error, but i get no results.   Maybe there is something farther down in the search that's not correct.

I check that and respond again.

Thanks for your sugestion

 

 

0 Karma

ptrsnk
Explorer

 

I couldn't get "cird_address=remoteIP ."/32"" to work in my search. I created a more simple search and it worked fine.  Your suggestion was correct.  I need to do more work on my search.

Thanks for your help!

 

Peter

 

0 Karma

jotne
Builder

You should accept ptrsnks answer not your reply.

0 Karma
Get Updates on the Splunk Community!

Introducing the Splunk Community Dashboard Challenge!

Welcome to Splunk Community Dashboard Challenge! This is your chance to showcase your skills in creating ...

Get the T-shirt to Prove You Survived Splunk University Bootcamp

As if Splunk University, in Las Vegas, in-person, with three days of bootcamps and labs weren’t enough, now ...

Wondering How to Build Resiliency in the Cloud?

IT leaders are choosing Splunk Cloud as an ideal cloud transformation platform to drive business resilience,  ...