- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I am new to Splunk and REGEX for that matter. What I am trying to accomplish is creating an alert when a specific event occurs with in an IP range without having to create an alert for every IP individually. Here is my very basic query.
index=n sourcetype=c message_text="you should not have done that" host="1.1.1.?" I put the question mark in there because this where I am stuck. The last octet is a range beginning at 23, and ending at 51. Excluding .26, .32, and .38-.44. Thank you for your time.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are filtering data only on host=1.1.1.* then you can filter it using logical operators in the base search only:
index=n sourcetype=c message_text="you should not have done that" (host>="1.1.1.23" AND host<="1.1.1.51") NOT (host>="1.1.1.38" AND host<="1.1.1.44") host!="1.1.1.26" host!="1.1.1.32"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are filtering data only on host=1.1.1.* then you can filter it using logical operators in the base search only:
index=n sourcetype=c message_text="you should not have done that" (host>="1.1.1.23" AND host<="1.1.1.51") NOT (host>="1.1.1.38" AND host<="1.1.1.44") host!="1.1.1.26" host!="1.1.1.32"
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The search command, which is implied before the first pipe, does not support regular expressions. The best you can do is use a wildcard to grab a larger set of IP addresses and trim the set with later commands.
The listed requirements don't lend themselves to a clean regex string, but perhaps this will help.
index=n sourcetype=c message_text="you should not have done that" host="1.1.1.*"
| eval lastOctet=mvindex(split(host,"."), 3)
| where (lastOctet>=23 AND lastOctet<=51 AND NOT lastOctet IN (26,32,38,39,40,41,42,43,44))If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi
you should try cidrmatch("X",Y).There are also quite many examples how to use lookups for that.
...
| where cidrmatch ("1.1.1.x/2x", <your IP>) OR cidrmatch("1.1.1.y/2y", <your IP) ....As you haven't "clean" IP blocks, you must match those to suitable blocks and/or use larger block and then remove unwanted IPs.
r. Ismo.
