Splunk Search

cidr notation not working

Motivator

I have more than 40 class B subnets in my geographically dispersed enterprise.

I would like to create a lookup for my companly subnets so that when I do searches on firewall and IDS data I can exclude or include company to and from IP's using the cidr notation for the Class B subnets. the reason I want to use Cidr is because I have a few superneted class B groups with a /14 cidr designation.

I have a search like this:

index=firewall action!=deny source_zone_name="Untrust"
source_address!=X.X.0.0/16 OR
source_address!=Y.Y.0.0/14 OR
source_address!=Z.Z.0.0/16
| stats count by source_address

This search is not filtering out the subnets identified with the Cidr notation.

Do I have to do something special to get Splunk to recognize the notation?

Tags (2)
0 Karma

SplunkTrust
SplunkTrust

You can do this:

index=_internal sourcetype=splunk*access | where NOT cidrmatch("127.0.0.0/31",clientip)
index=_internal sourcetype=splunk*access | where NOT cidrmatch("127.0.0.0/32",clientip)

The first search filters out localhost's IP, the second doesn't.

In case of lookups, you'll want to set match_type = CIDR(...), see http://docs.splunk.com/Documentation/Splunk/6.0.3/admin/Transformsconf for reference. Then a lookup table like this would match localhost and add whitelisted=1 to the event:

cidr,whitelisted
127.0.0.0/31,1
0 Karma