- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: cidrmatch() returning no matches
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm using cidrmatch() to determine whether a particular IP is on a local network, but when I query Splunk it returns nothing even though there are local IP addresses in the ingested data.
I'm running the following query:
index=main | stats count | eval ip=src_addr | eval network=if(cidrmatch("192.168.0.0/16",ip),"Local","Other") | stats count by ip, network
which returns no results, even though there are IP addresses in the 192.168.0.0/16 domain.
What could be the issue?
Could it be that the src_add field is saved a string. Is there a way for Splunk to save that as an IP address field?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
index=main | stats count |・・・・
->Field is only to count.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Or maybe a bit more detailed: What @HiroshiSatoh means is, you will loose any fields after the stats count if you don't define them along side of the stats. So you will only have a field called count after the stats count remove it form your search and it should return results as long you have a field called src_addr 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey MuS, I tried that and got a few hits. Only I now see a few 192.168.x.x addresses being classified as "Other"?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
could it be that you have some multivalue fields or the src_ip field is not always nummeric?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah! cheers, my address ingestion is doubling up for some reason. I used mvindexto grab the first entry and ran cidrmatch() with success.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You're welcome, feel free to upvote any useful answers 😉
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Quick question, is there a away to filter for ipv6 addresses?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, for example to use the cidrmatch() for 2001:0000:1234:1234:1234:1fff:2eee:3ddd address, you can just do something like this:
........... | eval network=if(cidrmatch("2001:0000::/32",clientip), "local", "other")
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey Mus, is there a way to capture all private ipv6 addresses?
Extending Observability Content to Splunk Cloud
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
