About msquicc

msquicc

Here's my solution that I've been piecing together for a while now. I'm using cidrmatch() to determine internal vs. external, as well as validate IP address format. I wrap the whole thing in a macro. Example usage in a query: | eval src_ip_class = `ipClass(src_ip)` Macro Name: ipClass(1) Macro Arguments: IP Macro Definition: case( ``` Empty / null ``` isnull($IP$) OR $IP$="", "Empty", ``` Internal IPv4 (RFC1918, CGNAT, loopback, link-local) ``` cidrmatch("10.0.0.0/8", $IP$) OR cidrmatch("172.16.0.0/12", $IP$) OR cidrmatch("192.168.0.0/16",$IP$) OR cidrmatch("100.64.0.0/10", $IP$) ``` CGNAT ``` OR cidrmatch("127.0.0.0/8", $IP$) ``` loopback ``` OR cidrmatch("169.254.0.0/16",$IP$), ``` link-local ``` "Internal IPv4", ``` Internal IPv6 (ULA, link-local, loopback) ``` cidrmatch("fc00::/7", $IP$) ``` Unique local ``` OR cidrmatch("fe80::/10",$IP$) ``` Link-local ``` OR cidrmatch("::1/128",$IP$), ``` Loopback ``` "Internal IPv6", ``` Any remaining valid IPv4 ``` cidrmatch("0.0.0.0/0", $IP$), "External IPv4", ``` Any remaining valid IPv6 ``` cidrmatch("::/0", $IP$), "External IPv6", ``` Everything else ``` 1==1, "Invalid" ) Run Anywhere Example | makeresults count=1 | eval src_ip="10.42.17.8, 172.20.55.13, 192.168.100.77, 100.88.12.200, 127.0.0.1, 169.254.33.10, 8.8.8.8, fd12:3456:789a:1::25, fe80::a4b3:22ff:fe19:7c01, ::1, 2600:1407:5800::5ce, , 999.999.1.2, ham-sandwich, fe80:::1" | eval src_ip = trim(split(src_ip,",")) | mvexpand src_ip ``` ^ Create sample data ^ ``` ```Solution example below``` | eval src_ip_class = `ipClass(src_ip)` | table src_ip src_ip_class | sort 0 src_ip_class

msquicc

How can I reliably classify IPv4 and IPv6 addresses as internal vs external? Requirements: Handle both IPv4 and IPv6 Validate the IP format (don’t just assume “not in RFC1918 = external”) Treat private, loopback, link-local, etc. as internal, and only mark truly public IPs as external I’ve seen a bunch of posts on this topic, but most either miss some cases (CGNAT, IPv6 ULA/link-local) or overcomplicate things with regex. I'm curious to see what others have come up with. Ideally, maybe this could turn into a nice suggestion for Splunk ideas. I do think it would be great to have this baked into the product. I'm going to post my suggestion that uses cidrmatch wrapped in macro, but please let me know if you find any issues with it, have suggestions, or a better solution!

msquicc · ‎05-15-2025

for anyone that would like to see this work better, please consider voting for my idea here to support long query urls: https://ideas.splunk.com/ideas/EID-I-2569 to me, this is not uncommon at all. it's a daily problem that I have to work around. (I'm aware of the current solutions and already use them.)

msquicc · ‎05-15-2025

for anyone that would like to see this work better, please consider voting for my idea here to support long query urls: https://ideas.splunk.com/ideas/EID-I-2569 to me, this is not uncommon at all. it's a daily problem that I have to work around. (I'm aware of the current solutions and already use them.)

msquicc · ‎05-01-2025

I know this is a pretty old post, but wanted to put this here for anyone else looking. This has bothered me for some time. It seems timechart, as of some version, supports 3 limit options: limit=N limit=topN limit=bottomN https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Timechart

msquicc · ‎04-02-2025

thanks, yea, I was planning on giving that a shot, but mostly interested in how to replace those certs on the UFs before they expire. ansible / MS tools could be a backup, but I'd really like to implement and have it fully controlled from the deployment server. so, just thinking through it, updating the cert(s) in this app would push out the updated certs to the UFs, but then all of the UFs would fail to phone home until I update the certs on the deployment server? then I'd have to hope that everything works from a fully broken state? just seems risky. open to suggestions, and maybe I'm over thinking some of it. wondering if anyone's accomplished this in a safe practical way? @krusovice, what did you wind up doing?

msquicc · ‎04-02-2025

did you wind up getting a good solution in place for pushing new certs from the deployment server?

msquicc · ‎03-31-2023

Since Heff mentioned it, in order to validate private/public IPv4, I made myself an eval-based macro with the following: case( cidrmatch("10.0.0.0/8",$IP$),"False", cidrmatch("172.16.0.0/12",$IP$),"False", cidrmatch("192.168.0.0/16",$IP$),"False", isnull($IP$) OR like($IP$,""), "False", match($IP$,"^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"),"True") Then, I can use it in any query like: | eval Remote_Address_isExternal = `isExternalIPv4(Remote_Address)` The last line tests for a valid IPv4 address. The best regex for validating IPV4 is an ever-evolving conversation on stack overflow. So, I used the latest from there, but from this highest rated answer, not the accepted one: https://stackoverflow.com/a/36760050/6376311

msquicc · ‎03-31-2023

here's what I landed on, in case it's helpful for folks in the future. | eval isIPV4 = if(match(IP,"^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"),"True","False") The best regex for validating IPV4 is an ever-evolving conversation on stack overflow. So, I used the latest from there, but from this highest rated answer, not the accepted one: https://stackoverflow.com/a/36760050/6376311 Since someone mentioned it, in order to validate private/public IPv4, I made myself an eval-based macro with the following: case( cidrmatch("10.0.0.0/8",$IP$),"False", cidrmatch("172.16.0.0/12",$IP$),"False", cidrmatch("192.168.0.0/16",$IP$),"False", isnull($IP$) OR like($IP$,""), "False", match($IP$,"^((25[0-5]|(2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$"),"True") Then, I can use it in any query like: | eval Remote_Address_isExternal = `isExternalIPv4(Remote_Address)`

msquicc · ‎02-16-2023

Thanks for this explanation. It helped me decide to not use the setting / hack.

msquicc · ‎06-02-2022

not 100% answering the original question here, but hoping to help someone in the future. we're on prem, not splunkcloud, but recently had an issue upgrading our Qualys app and were met with: ERROR: No credentials found. Cannot continue. the following steps resolved the issue: 1. Click Settings> DATA> Data inputs. 2. On the Data inputs screen, click TA-QualysCloudPlatform. 3. On the Qualys screen, disable all the listed data inputs. 4. Open Linux console terminal. 5. Delete passwords.conf file (/opt/Splunk/etc/apps/TAQualysCloudPlatform/local/passwords.conf). 6. Reboot the Splunk instance. 7. Go to the Splunk UI, click Apps > Manage Apps. 8. Click Setup against the Qualys Technology Add-on for Splunk option. 9. On the TA-QualysCloudPlatform screen, enter new credentials under Qualys Credentials. but before saving the credentials again after deleting the password.conf file please clear cache and do a hard reload TA setup page, then enter the credentials again, save and restart the Splunk 10. Click Save. 11. Enabled Data input

msquicc · ‎05-25-2022

msquicc · ‎05-24-2022

[Shift]+[Enter] for new lines. this functionality still amazes me... I've entered a feature suggestion for an option to allow the user to switch that functionality here: https://ideas.splunk.com/ideas/EID-I-537 please go upvote it!!!

msquicc · ‎04-27-2022

I've been struggling with the sourcetype renaming and tstats for some time now. It doesn't honor the rename like normal searches, and it doesn't offer you a _sourcetype field. In a normal search, _sourcetype contains the old sourcetype name: index=* sourcetype=wineventlog | eval old_sourcetype = _sourcetype | top sourcetype, old_sourcetype I finally figured out an elegant way around it, though! | tstats count where index=* sourcetype=wineventlog* by index, sourcetype ```Update Renamed Sourcetypes``` | join type=left sourcetype [| rest /services/data/props/sourcetype-rename | eval sourcetype = title | eval renamed_sourcetype = value | fields sourcetype, renamed_sourcetype] | eval old_sourcetype = sourcetype | eval sourcetype = coalesce(renamed_sourcetype, sourcetype) | eval sourcetype_renamed_from = if(isnotnull(renamed_sourcetype),old_sourcetype,null()) | table index, sourcetype, count, sourcetype_renamed_from Sometimes, I prefer to lowercase index and sourcetype in the main and joined query. Also, I'm not sure what rights the rest command requires. If that's an issue you could always do the same with a lookup. I don't know if this will help the OP, but I do hope it benefits others that may not use tstats so much because of this issue.

Posts	15
Solutions	1
Karma Given	6
Karma Received	2
Member Since	‎08-06-2019

Online Status	Offline
Date Last Visited	yesterday

Classify IPv4 and IPv6 addresses as Internal vs Ex...

Broken Data Link in Fundamentals Training 1 Module...

Re: Classify IPv4 and IPv6 addresses as Internal v...

Classify IPv4 and IPv6 addresses as Internal vs Ex...

Re: When I clicked open in search, I got Request-U...

Splunk Idea to support long URLs

Re: timechart but only for the top 5

Re: SSL enabled between deployment server and depl...

Re: SSL enabled between deployment server and depl...

Re: How to exclude private ip address range from r...

Re: is it an ip address or hostname

Re: Difficulty Understanzing Stanza in props.conf

Re: TA-QualysCloudPlatform

Re: How to split multi-line events at search time?

Re: Can I press enter in a splunk search and not d...

Re: Why does tstats returns events by sourcetype, ...

Join the Conversation