Solved: Re: query optimization on IP adress

Nico99 · ‎03-09-2023

Hello community!

I'm looking for a way to optimize this search below and I need some help :

index="oswinsec" source="XmlWinEventLog:Security" TargetUserName Kerberos earliest=-5min
| regex TargetUserName="^([a-z]+)\.([a-z]+)"
| regex IpAddress="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | eval Octet1=mvindex(split(IpAddress,"."), 0) | eval Octet2=mvindex(split(IpAddress,"."), 1) | eval Octet3=mvindex(split(IpAddress,"."), 2) | where (Octet1=10 AND Octet2=244 AND Octet3>=192 AND Octet3<=255) OR (Octet1=172 AND Octet2=24)  
| dedup TargetUserName | table TargetUserName IpAddress

Thanking you!!

regards

richgalloway · ‎03-09-2023

What is it you wish to optimize?

Have you looked at the cidrmatch function?

---
If this reply helps you, Karma would be appreciated.

View solution in original post

Nico99 · ‎03-09-2023

No i hadn't seen this function.
We tried and it's indeed simpler.

Thank you so much!!

richgalloway · ‎03-09-2023

What is it you wish to optimize?

Have you looked at the cidrmatch function?

---
If this reply helps you, Karma would be appreciated.

query optimization on IP adress

eval

regex

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Deep insights, no barriers: Splunk Observability Cloud Free Edition

Monitoring AI Agents with Splunk Observability Cloud

[Puzzles] Solve, Learn, Repeat: Tiling

Join the Conversation