All,
I want search a subnet over all indexes and sourcetypes. The subnet is 5.5.0.0/16
How would the query look so I can identify any IP within the 5.5.0.0/16 subnet?
thanks in advance
Below query is written considering search for 5.5.0.0/16 subnet over any index and sourcetype and IP address is not extracted in particular field (src and dest).
index=* sourcetype=* "5.5.0.0/16"
If your events have extracted IP address in src and dest fields, you can go for the query what @to4kawa has mentioned in its post.
Regards,
Tejas
TERM("5.5.0.0/16")
Is this possible?
I'm not sure about using TERM for subnets. TERM instructs Splunk to not view the dot as a minor breaker, but instead to literally search for that IP, not for 5 5 0 0.
thanks, @martynoconnor
that's right.
Search failed.
index=your_index sourcetype=your_sourcetype src="5.5.0.0/16" OR dst="5.5.0.0/16"
splunk can resolve prefix.