Solved: When searching for IP, how to only show the subnet...

rune_hellem · ‎08-16-2023

I have this search

index="firewall" dest_ip=172.99.99.99 dest_port=* | stats count by src_ip,dest_port,action,src_user

Instead of showing all src_ip's I want to group on the subnet part, that is using the dest_ip as an example, the three first (not being a network guy I might use the wrong wording 🙂 ) in the stats

172.99.99

My guess is rex, but guessing that there might be some other easier functions in Splunk for doing this?

ITWhisperer · ‎08-16-2023

If you know your subnet is 24 bits i.e. the first 3 numbers of an IPv4 address x.x.x.y, you could do this

index="firewall" dest_ip=172.99.99.99 dest_port=* 
| rex field=dest_ip "(?<dest_ip_subnet>^.*)\.\d+$"
| stats count by src_ip,dest_port,dest_ip_subnet,action,src_user

View solution in original post

ITWhisperer · ‎08-16-2023

If you know your subnet is 24 bits i.e. the first 3 numbers of an IPv4 address x.x.x.y, you could do this

index="firewall" dest_ip=172.99.99.99 dest_port=* 
| rex field=dest_ip "(?<dest_ip_subnet>^.*)\.\d+$"
| stats count by src_ip,dest_port,dest_ip_subnet,action,src_user

When searching for IP, how to only show the subnet, not the whole IP

field extraction

regex

rex

stats

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform