Splunk Search

When searching for IP, how to only show the subnet, not the whole IP

rune_hellem
Contributor

I have this search

index="firewall" dest_ip=172.99.99.99 dest_port=* | stats count by src_ip,dest_port,action,src_user

Instead of showing all src_ip's I want to group on the subnet part, that is using the dest_ip as an example, the three first (not being a network guy I might use the wrong wording 🙂 ) in the stats 

172.99.99 

My guess is rex, but guessing that there might be some other easier functions in Splunk for doing this?

Labels (4)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

If you know your subnet is 24 bits i.e. the first 3 numbers of an IPv4 address x.x.x.y, you could do this

index="firewall" dest_ip=172.99.99.99 dest_port=* 
| rex field=dest_ip "(?<dest_ip_subnet>^.*)\.\d+$"
| stats count by src_ip,dest_port,dest_ip_subnet,action,src_user

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

If you know your subnet is 24 bits i.e. the first 3 numbers of an IPv4 address x.x.x.y, you could do this

index="firewall" dest_ip=172.99.99.99 dest_port=* 
| rex field=dest_ip "(?<dest_ip_subnet>^.*)\.\d+$"
| stats count by src_ip,dest_port,dest_ip_subnet,action,src_user
Get Updates on the Splunk Community!

Unlock New Opportunities with Splunk Education: Explore Our Latest Courses!

At Splunk Education, we’re dedicated to providing top-tier learning experiences that cater to every skill ...

Technical Workshop Series: Splunk Data Management and SPL2 | Register here!

Hey, Splunk Community! Ready to take your data management skills to the next level? Join us for a 3-part ...

Spotting Financial Fraud in the Haystack: A Guide to Behavioral Analytics with Splunk

In today's digital financial ecosystem, security teams face an unprecedented challenge. The sheer volume of ...