Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Trying to search by CIDR but getting no results

bworrellZP
Communicator
‎04-28-2016 12:12 PM

So I did a search by one IP in this range, and I get matches. My thought was to try searching for any IP in the whole range that matched this criteria, but then I get nothing, not even the IP that I know matches. Am I using the wrong format for searching?

index=* scr_ip=10.0.0.0/16  web_app=YouTube
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎04-28-2016 12:49 PM

Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?

index=* scr_ip=10.0.0.0/8 web_app=YouTube

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

javiergn
SplunkTrust
SplunkTrust
‎04-28-2016 12:49 PM

Your syntax is right.
Have you tried searching the whole 10...* range by using /8 instead of /16?

index=* scr_ip=10.0.0.0/8 web_app=YouTube
0 Karma
Reply
Solved! Jump to solution

bworrellZP
Communicator
‎04-29-2016 04:23 AM

Tried with the /8 as well. tried going down to the class C where I know the IP is, and get nada. But when I search by the one actual IP, I get data

0 Karma
Reply
Solved! Jump to solution

javiergn
SplunkTrust
SplunkTrust
‎04-29-2016 04:32 AM

Grr. That's weird.
See this post here:

https://answers.splunk.com/answers/23554/cidr-match.html

I've used that notation hundreds of times.
Is your src_ip being extracted correctly?

0 Karma
Reply
Solved! Jump to solution

bworrellZP
Communicator
‎04-29-2016 04:42 AM

I think it is, as I use it in the Cisco security app without an issue. The logs that have this data, are the same that I use to feed that app, just was trying to do it in the main search app, to create a dashboard for the boss.

Going to try something else, omitting the SRC IP, and see if it will give me that as a stats.

0 Karma
Reply
Solved! Jump to solution

bworrellZP
Communicator
‎04-29-2016 05:08 AM

So in testing, seems the webapp field was causing a conflict (comes from the IPS events in the ASA), changing from that to youtube.com, solved the issue. got the results I was expecting. Could be a bug in that app, will check with Cisco to be sure.

thanks for your help.

0 Karma
Reply
Solved! Jump to solution

vasanthmss
Motivator
‎04-28-2016 12:30 PM

try some thing like this,

index= wep_app=YouTube src_ip="10.0.0.*" OR src_id="known ip" OR src_id="known ip2" ....

V
0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In the last month, the Splunk Threat Research Team (STRT) has had 2 releases of new security content via the ...

Announcing the 1st Round Champion’s Tribute Winners of the Great Resilience Quest

We are happy to announce the 20 lucky questers who are selected to be the first round of Champion's Tribute ...

We’ve Got Education Validation!

Are you feeling it? All the career-boosting benefits of up-skilling with Splunk? It’s not just a feeling, it's ...