Splunk Search

tstats command help required for CIDR

sumitkathpal
Explorer

Hello Everyone,

I am writing a query using tstats command need to use the CIDR values . Below is the example.

| tstats summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src in this query i need to place a filter with private IP range (src should be private IP).

src="10.0.0.0/8" OR src=192.168.0.0/16 OR src=172.16.0.0/12

Thanks in advance

0 Karma

woodcock
Esteemed Legend

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

0 Karma

DalJeanis
Legend

Try ...

| tstats summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src 
| where cidrmatch("10.0.0.0/8",Web.src) OR cidrmatch("192.168.0.0/16",Web.src) OR cidrmatch("172.16.0.0/12",,Web.src)

DalJeanis
Legend

@sumitkathpal - did this answer give you what you needed? If so, then please accept the answer. If not, please let us know what worked, or what the current issue is. Thanks.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

 (view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...