Solved: When searching for IP, how to only show the subnet...

rune_hellem · ‎08-16-2023

I have this search

index="firewall" dest_ip=172.99.99.99 dest_port=* | stats count by src_ip,dest_port,action,src_user

Instead of showing all src_ip's I want to group on the subnet part, that is using the dest_ip as an example, the three first (not being a network guy I might use the wrong wording 🙂 ) in the stats

172.99.99

My guess is rex, but guessing that there might be some other easier functions in Splunk for doing this?

ITWhisperer · ‎08-16-2023

If you know your subnet is 24 bits i.e. the first 3 numbers of an IPv4 address x.x.x.y, you could do this

index="firewall" dest_ip=172.99.99.99 dest_port=* 
| rex field=dest_ip "(?<dest_ip_subnet>^.*)\.\d+$"
| stats count by src_ip,dest_port,dest_ip_subnet,action,src_user

View solution in original post

ITWhisperer · ‎08-16-2023

If you know your subnet is 24 bits i.e. the first 3 numbers of an IPv4 address x.x.x.y, you could do this

index="firewall" dest_ip=172.99.99.99 dest_port=* 
| rex field=dest_ip "(?<dest_ip_subnet>^.*)\.\d+$"
| stats count by src_ip,dest_port,dest_ip_subnet,action,src_user

When searching for IP, how to only show the subnet, not the whole IP

field extraction

regex

rex

stats

[Puzzles] Solve, Learn, Repeat: Dynamic formatting from XML events

Enter the Agentic Era with Splunk AI Assistant for SPL 1.4

Stronger Security with Federated Search for S3, GCP SQL & Australian Threat ...

Join the Conversation