Solved: Re: When searching for IP, how to only show the su...

rune_hellem · ‎08-16-2023

I have this search

index="firewall" dest_ip=172.99.99.99 dest_port=* | stats count by src_ip,dest_port,action,src_user

Instead of showing all src_ip's I want to group on the subnet part, that is using the dest_ip as an example, the three first (not being a network guy I might use the wrong wording 🙂 ) in the stats

172.99.99

My guess is rex, but guessing that there might be some other easier functions in Splunk for doing this?

ITWhisperer · ‎08-16-2023

If you know your subnet is 24 bits i.e. the first 3 numbers of an IPv4 address x.x.x.y, you could do this

index="firewall" dest_ip=172.99.99.99 dest_port=* 
| rex field=dest_ip "(?<dest_ip_subnet>^.*)\.\d+$"
| stats count by src_ip,dest_port,dest_ip_subnet,action,src_user

View solution in original post

ITWhisperer · ‎08-16-2023

If you know your subnet is 24 bits i.e. the first 3 numbers of an IPv4 address x.x.x.y, you could do this

index="firewall" dest_ip=172.99.99.99 dest_port=* 
| rex field=dest_ip "(?<dest_ip_subnet>^.*)\.\d+$"
| stats count by src_ip,dest_port,dest_ip_subnet,action,src_user

When searching for IP, how to only show the subnet, not the whole IP

field extraction

regex

rex

stats

Upcoming Webinar: Unmasking Insider Threats with Slunk Enterprise Security’s UEBA

.conf25 technical session recap of Observability for Gen AI: Monitoring LLM ...

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

Join the Conversation