Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Why is the CIDR search on accelerated data failing?

isabel_ycourbe
Path Finder
‎02-12-2018 06:32 AM

When I run my tstat including a CIDR filter with summariesonly=T I got no result, while setting the parameter to false will give me my results:

  • Fails: | tstats summariesonly=T count from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest=10.0.0.0/8 by All_Traffic.dest
  • Works: | tstats summariesonly=F count from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest=10.0.0.0/8 by All_Traffic.dest but it's obviously slow
  • Works: | tstats summariesonly=T count from datamodel=Network_Traffic.All_Traffic where All_Traffic.dest=10.* by All_Traffic.dest where I'm using wildcard instead of CIDR. NB: Datamodel is accelerated at 100% NB2: I testing even with large time range, result is the same
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2019 10:38 AM

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

woodcock
Esteemed Legend
‎06-25-2019 10:38 AM

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

0 Karma
Reply
Solved! Jump to solution

abpe
Path Finder
‎05-12-2020 02:25 AM

For me CIDR filters on Splunk 7.3.3 fail. For example the query below should list only destinations which are IP's:

| tstats values(Web.dest) as dest from datamodel=Web where Web.dest="0.0.0.0/0"

However it just lists all kind of values.

0 Karma
Reply
Solved! Jump to solution

harsmarvania57
Ultra Champion
‎02-13-2018 12:24 AM

As far as I know CIDR isn't supported in tstats commands with accelerated datamodel. Check this answer as well https://answers.splunk.com/answers/468781/how-do-i-do-a-cidr-matchnot-match-in-a-tstats-sear.html

0 Karma
Reply
Solved! Jump to solution

isabel_ycourbe
Path Finder
‎02-13-2018 12:54 AM

Thanks for the answer and the workaround !

0 Karma
Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

🍂 Fall into November with a fresh lineup of Community Office Hours, Tech Talks, and Webinars we’ve ...

Transform your security operations with Splunk Enterprise Security

Hi Splunk Community, Splunk Platform has set a great foundation for your security operations. With the ...

Splunk Admins and App Developers | Earn a $35 gift card!

Splunk, in collaboration with ESG (Enterprise Strategy Group) by TechTarget, is excited to announce a ...