Splunk Search

Search for multiple IP ranges

Path Finder

I am looking for the best way to search multiple IP ranges. Currently I am using rex as follows

sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100

This works as intended and will show every value where the last octet is >=0 or <=100. I have 2 quesitons:

[1] How can I make so I could search many ranges? Something like:

sourcetype=mysourcetype 1.*.*.* | rex field=ip "1.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100
sourcetype=mysourcetype 2.*.*.* | rex field=ip "2.\d+.\d+.(?<oct>\d+): | search oct>=0 oct<=100

[2]. Is there a way to make so its not this range?

Tags (1)
0 Karma
1 Solution

SplunkTrust
SplunkTrust

If you can express what you're looking for in CIDR notation, Splunk is smart enough to do this pretty much itself using where and cidrmatch. See http://www.splunk.com/base/Documentation/latest/SearchReference/Where for more info.

But, if you really want to do octet ranges, something like this should work as a more generalized rule:

sourcetype=mysourcetype 
| rex field=ip "(?<ip_octet1>\d+)\.(?<ip_octet2>\d+)\.(?<ip_octet3>\d+)\.(?<ip_octet4>\d+)" 
| search ( ( ip_octet1 >= 204 ip_octet1 <=207 ip_octet3 >=70 ) OR ip_octet3=105 )

You can perform arbitrarily complex boolean expressions of AND, OR, and NOT to get your point across, as long as you properly wrap it with parentheses.

But, hopefully, the CIDR approach is much more workable for you.

View solution in original post

Motivator

CIDR matching as dwaddle suggests is the simplest if you can get it down to CIDR blocks.

Another option would be to break out your range definitions into eventtypes, or to build a lookup table and search on the output -- look here:
     http://answers.splunk.com/questions/5916/using-cidr-in-a-lookup-table

0 Karma

SplunkTrust
SplunkTrust

If you can express what you're looking for in CIDR notation, Splunk is smart enough to do this pretty much itself using where and cidrmatch. See http://www.splunk.com/base/Documentation/latest/SearchReference/Where for more info.

But, if you really want to do octet ranges, something like this should work as a more generalized rule:

sourcetype=mysourcetype 
| rex field=ip "(?<ip_octet1>\d+)\.(?<ip_octet2>\d+)\.(?<ip_octet3>\d+)\.(?<ip_octet4>\d+)" 
| search ( ( ip_octet1 >= 204 ip_octet1 <=207 ip_octet3 >=70 ) OR ip_octet3=105 )

You can perform arbitrarily complex boolean expressions of AND, OR, and NOT to get your point across, as long as you properly wrap it with parentheses.

But, hopefully, the CIDR approach is much more workable for you.

View solution in original post

Path Finder

great. I am just wondering from if from a performance perspective whats best. If I do cidr then I could do src=1.1.1.1/8. So my questions is would it be best to do cidrmatch(src, 1.1.1.1/8) or src=1.1.1.1/8?

0 Karma