Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to search by CIDR but getting no results

bworrellZP
Communicator
‎04-28-2016 12:12 PM

So I did a search by one IP in this range, and I get matches. My thought was to try searching for any IP in the whole range that matched this criteria, but then I get nothing, not even the IP that I know matches. Am I using the wrong format for searching?

index=* scr_ip=10.0.0.0/16  web_app=YouTube
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-28-2016 12:49 PM

Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?

index=* scr_ip=10.0.0.0/8 web_app=YouTube

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
Super Champion
‎04-28-2016 12:49 PM

Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?

index=* scr_ip=10.0.0.0/8 web_app=YouTube
0 Karma
Reply
Solved! Jump to solution

bworrellZP
Communicator
‎04-29-2016 04:23 AM

Tried with the /8 as well. tried going down to the class C where I know the IP is, and get nada. But when I search by the one actual IP, I get data

0 Karma
Reply
Solved! Jump to solution

javiergn
Super Champion
‎04-29-2016 04:32 AM

Grr. That's weird.
See this post here:

https://answers.splunk.com/answers/23554/cidr-match.html

I've used that notation hundreds of times.
Is your src_ip being extracted correctly?

0 Karma
Reply
Solved! Jump to solution

bworrellZP
Communicator
‎04-29-2016 04:42 AM

I think it is, as I use it in the Cisco security app without an issue. The logs that have this data, are the same that I use to feed that app, just was trying to do it in the main search app, to create a dashboard for the boss.

Going to try something else, omitting the SRC IP, and see if it will give me that as a stats.

0 Karma
Reply
Solved! Jump to solution

bworrellZP
Communicator
‎04-29-2016 05:08 AM

So in testing, seems the webapp field was causing a conflict (comes from the IPS events in the ASA), changing from that to youtube.com, solved the issue. got the results I was expecting. Could be a bug in that app, will check with Cisco to be sure.

thanks for your help.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎04-28-2016 12:30 PM

try some thing like this,

index= wep_app=YouTube src_ip="10.0.0.*" OR src_id="known ip" OR src_id="known ip2" ....

V
0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...