Splunk Search

splunk syntax search a subnet

trojan_81
Path Finder

All,

I want search a subnet over all indexes and sourcetypes. The subnet is 5.5.0.0/16
How would the query look so I can identify any IP within the 5.5.0.0/16 subnet?

thanks in advance

Tags (2)
0 Karma

tbavarva
Path Finder

Below query is written considering search for 5.5.0.0/16 subnet over any index and sourcetype and IP address is not extracted in particular field (src and dest).

index=* sourcetype=* "5.5.0.0/16"

If your events have extracted IP address in src and dest fields, you can go for the query what @to4kawa has mentioned in its post.

Regards,
Tejas

0 Karma

to4kawa
Ultra Champion
TERM("5.5.0.0/16")

Is this possible?

0 Karma

martynoconnor
Communicator

I'm not sure about using TERM for subnets. TERM instructs Splunk to not view the dot as a minor breaker, but instead to literally search for that IP, not for 5 5 0 0.

0 Karma

to4kawa
Ultra Champion

thanks, @martynoconnor
that's right.
Search failed.

0 Karma

to4kawa
Ultra Champion
index=your_index sourcetype=your_sourcetype src="5.5.0.0/16" OR dst="5.5.0.0/16"

splunk can resolve prefix.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...