Splunk Search
Highlighted

tstats command help required for CIDR

Explorer

Hello Everyone,

I am writing a query using tstats command need to use the CIDR values . Below is the example.

| tstats summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src in this query i need to place a filter with private IP range (src should be private IP).

src="10.0.0.0/8" OR src=192.168.0.0/16 OR src=172.16.0.0/12

Thanks in advance

0 Karma
Highlighted

Re: tstats command help required for CIDR

SplunkTrust
SplunkTrust

Try ...

| tstats summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src 
| where cidrmatch("10.0.0.0/8",Web.src) OR cidrmatch("192.168.0.0/16",Web.src) OR cidrmatch("172.16.0.0/12",,Web.src)
Highlighted

Re: tstats command help required for CIDR

SplunkTrust
SplunkTrust

@sumitkathpal - did this answer give you what you needed? If so, then please accept the answer. If not, please let us know what worked, or what the current issue is. Thanks.

0 Karma
Highlighted

Re: tstats command help required for CIDR

Esteemed Legend

Actually, natural CIDR filters work in tstats.

Like this:

| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"

And this:

| tstats count WHERE index=* AND host="10.0.0.0/8"

This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*

0 Karma