Hello all,
I've been hoping to play around with some of the iplocation functionality and see if I could leverage it somehow, so I rooted around and found that most of my data is private addresses. That was to be expected, but as I dig around, I cannot seem to find any public addresses at all.
From there I thought it would be fairly simple to do a search across all my data for any public address, or at the very least any non-private (weed out the smaller set). It turns out that I cannot find an easy way of doing this. Regex sounds like it would be a good approach, but that alone as proven to be more complex than expected.
Since I'm looking to find a public IP in any location, which means I'm not specifying a source, sourcetype, or field. So I'm either using _raw with regex or index=* searches for IP addresses. Without regex, it becomes a bit of a bear because doing a NOT search without specifying a field (which I do not know) removes the whole event, which may also contain a public address.
I've found a couple regex online that match RFC 1918 addresses, but most use the /m flag in regex101 (m modifier: multi-line. Causes ^ and $ to match the begin/end of each line) which it looks like splunk does not use.
I'm currently using this:
index=*| regex _raw="\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}" | search src_ip!=10.* src_ip!=127.* src_ip!=172.16.* src_ip!=::ffff:10* src_ip.!=::ffff:127.* src_ip!=::fff:172.16.*
Ideally I'd not have to specify a field, as I said previously, but my current approach is to pair down the data with specific qualifiers until I either find what I'm looking for or run out of data.
I very well may not have any public addresses in the data I'm using!
Any suggestions for this problem?
... View more