I am writing a query using tstats command need to use the CIDR values . Below is the example.
summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src in this query i need to place a filter with private IP range (src should be private IP).
src="10.0.0.0/8" OR src=192.168.0.0/16 OR src=172.16.0.0/12
Thanks in advance
| tstats summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src | where cidrmatch("10.0.0.0/8",Web.src) OR cidrmatch("192.168.0.0/16",Web.src) OR cidrmatch("172.16.0.0/12",,Web.src)
@sumitkathpal - did this answer give you what you needed? If so, then please accept the answer. If not, please let us know what worked, or what the current issue is. Thanks.
Actually, natural CIDR filters work in
| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"
| tstats count WHERE index=* AND host="10.0.0.0/8"
This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*