I am writing a query using tstats command need to use the CIDR values . Below is the example.
| tstats summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src in this query i need to place a filter with private IP range (src should be private IP).
src="10.0.0.0/8" OR src=192.168.0.0/16 OR src=172.16.0.0/12
Thanks in advance
Actually, natural CIDR filters work in tstats.
| tstats count FROM datamodel=Network_Traffic WHERE index=* AND All_Traffic.src="10.0.0.0/8"
| tstats count WHERE index=* AND host="10.0.0.0/8"
This has been in Splunk for a long time, but maybe not always. It works in all versions of 7.*
| tstats summariesonly count from datamodel=Web where (nodename = Web.Proxy) by Web.src
| where cidrmatch("10.0.0.0/8",Web.src) OR cidrmatch("192.168.0.0/16",Web.src) OR cidrmatch("172.16.0.0/12",,Web.src)
@sumitkathpal - did this answer give you what you needed? If so, then please accept the answer. If not, please let us know what worked, or what the current issue is. Thanks.