×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question
splunkinmcsplun
New Member
Member since: ‎04-06-2014
‎06-05-2020
Community Statistics
Posts 1
Solutions 0
Karma Given 0
Karma Received 0
Member Since ‎04-06-2014
Activity Feed
Topics I've Started
View All

Re: Subnet collection

by in Splunk Search
‎04-16-2014 01:53 PM
‎04-16-2014 01:53 PM
If you have a small number of subnets, you could use a technique like this: <Vulnerability search> ... | eval subnet=case(cidrmatch("10.0.0.0/24", ip), "Subnet 10.0.0.x", cidrmatch("10.0.0.1/24", ip), "Subnet 10.0.1.x", 0==0, "Unknown subnet") | stats count by subnet As long as <Vulnerability search> returns events with an ip field, this simple technique should work. As far as I know, there's no simple way to automatically group IPs into subnets without actually defining what size of each individual network. If all of your networks are "/24"s, then you could do something trivial like: <Vulnerability search> ... | eval subnet=replace(ip, "^(\d+\.\d+\.\d+\).\d+$", "\1.x") | stats count by subnet But that's about as far as regex tricks will take you. 😞 BTW, if you have a large range of subnets, or want an approach that more generally reusable, then I'd recommend using lookups. See the answer Using CIDR in a lookup table for the specifics on how to set this up in a lookup file. ... View more
Contact Me
Online Status
Offline
Date Last Visited
‎06-05-2020 02:04 AM