Join the Conversation
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Search for multiple IP ranges
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am looking for the best way to search multiple IP ranges. Currently I am using rex as follows
sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100
This works as intended and will show every value where the last octet is >=0 or <=100. I have 2 quesitons:
[1] How can I make so I could search many ranges? Something like:
sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100
sourcetype=mysourcetype 2.*.*.* | rex field=ip "2.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100
[2]. Is there a way to make so its not this range?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can express what you're looking for in CIDR notation, Splunk is smart enough to do this pretty much itself using where and cidrmatch. See http://www.splunk.com/base/Documentation/latest/SearchReference/Where for more info.
But, if you really want to do octet ranges, something like this should work as a more generalized rule:
sourcetype=mysourcetype
| rex field=ip "(?<ip_octet1>\d+)\.(?<ip_octet2>\d+)\.(?<ip_octet3>\d+)\.(?<ip_octet4>\d+)"
| search ( ( ip_octet1 >= 204 ip_octet1 <=207 ip_octet3 >=70 ) OR ip_octet3=105 )
You can perform arbitrarily complex boolean expressions of AND, OR, and NOT to get your point across, as long as you properly wrap it with parentheses.
But, hopefully, the CIDR approach is much more workable for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CIDR matching as dwaddle suggests is the simplest if you can get it down to CIDR blocks.
Another option would be to break out your range definitions into eventtypes, or to build a lookup table and search on the output -- look here:
http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you can express what you're looking for in CIDR notation, Splunk is smart enough to do this pretty much itself using where and cidrmatch. See http://www.splunk.com/base/Documentation/latest/SearchReference/Where for more info.
But, if you really want to do octet ranges, something like this should work as a more generalized rule:
sourcetype=mysourcetype
| rex field=ip "(?<ip_octet1>\d+)\.(?<ip_octet2>\d+)\.(?<ip_octet3>\d+)\.(?<ip_octet4>\d+)"
| search ( ( ip_octet1 >= 204 ip_octet1 <=207 ip_octet3 >=70 ) OR ip_octet3=105 )
You can perform arbitrarily complex boolean expressions of AND, OR, and NOT to get your point across, as long as you properly wrap it with parentheses.
But, hopefully, the CIDR approach is much more workable for you.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
great. I am just wondering from if from a performance perspective whats best. If I do cidr then I could do src=1.1.1.1/8. So my questions is would it be best to do cidrmatch(src, 1.1.1.1/8) or src=1.1.1.1/8?
Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!
Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.
Index This | What travels the world but is also stuck in place?
Discover New Use Cases: Unlock Greater Value from Your Existing Splunk Data
Continue Your Journey: Join Session 2 of the Data Management and Federation Bootcamp ...
