tstats command help required for CIDR

sumitkathpal · ‎07-20-2017

Hello Everyone,

I am writing a query using tstats command need to use the CIDR values . Below is the example.

| tstats summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src in this query i need to place a filter with private IP range (src should be private IP).

src="10.0.0.0/8" OR src=192.168.0.0/16 OR src=172.16.0.0/12

Thanks in advance

woodcock · ‎06-25-2019

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

DalJeanis · ‎07-20-2017

Try ...

| tstats summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src 
| where cidrmatch("10.0.0.0/8",Web.src) OR cidrmatch("192.168.0.0/16",Web.src) OR cidrmatch("172.16.0.0/12",,Web.src)

DalJeanis · ‎10-06-2017

@sumitkathpal - did this answer give you what you needed? If so, then please accept the answer. If not, please let us know what worked, or what the current issue is. Thanks.

tstats command help required for CIDR

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

Logs to Metrics

Developer Spotlight with Paul Stout