Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

… | where like(src, “10.9.165.%”) OR cidrmatch(“10.9.165.0/25”, dst) What will this search return as a result?

rashokciet
New Member
‎04-27-2015 09:51 PM

… | where like(src, “10.9.165.%”) OR cidrmatch(“10.9.165.0/25”, dst)

What will this search return as a result?

Any help is appreciated..!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-27-2015 10:34 PM

Hi,

I think that It return events that match the IP or is in the specified subnet.

This because:

  • the like(x,y) funtion This function takes two arguments, a field X and a quoted string Y, and
    returns TRUE if and only if the first argument is like the SQLite pattern in y

  • the cidrmacth(x,y) function identifies IP addresses that belong to a particular subnet. The function uses two arguments: the first is the CIDR subnet, is contained in quotes; the second is the IP address to match, which may be values in field.

View solution in original post

0 Karma
Reply
Solved! Jump to solution

esix_splunk
Splunk Employee
Splunk Employee
‎04-27-2015 10:49 PM

By syntax, CIDRMATCH("10.9.165.0/25",dst) will return 10.9.165 - 166. 1 - 254.

Whereas.. WHERE like(src,"10.9.165.%") will only return any src that is 10.9.165.x.

0 Karma
Reply
Solved! Jump to solution

Runals
Motivator
‎04-28-2015 06:25 AM

Actually cidermatch("10.9.165.0/25", dst) will return values between 10.9.165.0 - 10.9.165.127
where like(src, "10.9.165.%") will return values that simply start with "10.9.165." and while one might assume validation has already been done to the data in "src" it will match 0-255 but also any string of characters

Reply
Solved! Jump to solution
Solution

ngatchasandra
Builder
‎04-27-2015 10:34 PM

Hi,

I think that It return events that match the IP or is in the specified subnet.

This because:

  • the like(x,y) funtion This function takes two arguments, a field X and a quoted string Y, and
    returns TRUE if and only if the first argument is like the SQLite pattern in y

  • the cidrmacth(x,y) function identifies IP addresses that belong to a particular subnet. The function uses two arguments: the first is the CIDR subnet, is contained in quotes; the second is the IP address to match, which may be values in field.

0 Karma
Reply
Solved! Jump to solution

rashokciet
New Member
‎04-27-2015 10:48 PM

Could you please explain how it works??

Thanks for the help in advance

0 Karma
Reply
Solved! Jump to solution

ngatchasandra
Builder
‎04-27-2015 10:54 PM

Yes!

This because:

  • the like(x,y) funtion This function takes two arguments, a field X and a quoted string Y, and returns TRUE if and only if the first argument is like the SQLite pattern in y

  • the cidrmacth(x,y) function identifies IP addresses that belong to a particular subnet. The function uses two arguments: the first is the CIDR subnet, is contained in quotes; the second is the IP address to match, which may be values in field.

0 Karma
Reply
Get Updates on the Splunk Community!

Now Available: Cisco Talos Threat Intelligence Integrations for Splunk Security Cloud ...

At .conf24, we shared that we were in the process of integrating Cisco Talos threat intelligence into Splunk ...

Preparing your Splunk Environment for OpenSSL3

The Splunk platform will transition to OpenSSL version 3 in a future release. Actions are required to prepare ...

Easily Improve Agent Saturation with the Splunk Add-on for OpenTelemetry Collector

Agent Saturation What and Whys In application performance monitoring, saturation is defined as the total load ...