Solved: query optimization on IP adress

Nico99 · ‎03-09-2023

Hello community!

I'm looking for a way to optimize this search below and I need some help :

index="oswinsec" source="XmlWinEventLog:Security" TargetUserName Kerberos earliest=-5min
| regex TargetUserName="^([a-z]+)\.([a-z]+)"
| regex IpAddress="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval Octet1=mvindex(split(IpAddress,"."), 0) | eval Octet2=mvindex(split(IpAddress,"."), 1) | eval Octet3=mvindex(split(IpAddress,"."), 2) | where (Octet1=10 AND Octet2=244 AND Octet3>=192 AND Octet3<=255) OR (Octet1=172 AND Octet2=24)  
| dedup TargetUserName | table TargetUserName IpAddress

Thanking you!!

regards

richgalloway · ‎03-09-2023

What is it you wish to optimize?

Have you looked at the cidrmatch function?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Nico99 · ‎03-09-2023

No i hadn't seen this function.
We tried and it's indeed simpler.

Thank you so much!!

richgalloway · ‎03-09-2023

What is it you wish to optimize?

Have you looked at the cidrmatch function?

---
If this reply helps you, Karma would be appreciated.

query optimization on IP adress

eval

regex

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout