Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

cidrmatch() returning no matches

splunknewby
Path Finder
‎07-12-2015 06:18 PM

I'm using cidrmatch() to determine whether a particular IP is on a local network, but when I query Splunk it returns nothing even though there are local IP addresses in the ingested data.

I'm running the following query:
index=main | stats count | eval ip=src_addr | eval network=if(cidrmatch("192.168.0.0/16",ip),"Local","Other") | stats count by ip, network

which returns no results, even though there are IP addresses in the 192.168.0.0/16 domain.

What could be the issue?

Could it be that the src_add field is saved a string. Is there a way for Splunk to save that as an IP address field?

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎07-12-2015 06:44 PM

index=main | stats count |・・・・
->Field is only to count.

View solution in original post

Reply
Solved! Jump to solution
Solution

HiroshiSatoh
Champion
‎07-12-2015 06:44 PM

index=main | stats count |・・・・
->Field is only to count.

Reply
Solved! Jump to solution

MuS
Legend
‎07-12-2015 07:17 PM

Or maybe a bit more detailed: What @HiroshiSatoh means is, you will loose any fields after the stats count if you don't define them along side of the stats. So you will only have a field called count after the stats count remove it form your search and it should return results as long you have a field called src_addr 😉

Reply
Solved! Jump to solution

splunknewby
Path Finder
‎07-12-2015 07:20 PM

Hey MuS, I tried that and got a few hits. Only I now see a few 192.168.x.x addresses being classified as "Other"?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-12-2015 07:39 PM

could it be that you have some multivalue fields or the src_ip field is not always nummeric?

Reply
Solved! Jump to solution

splunknewby
Path Finder
‎07-12-2015 08:28 PM

Ah! cheers, my address ingestion is doubling up for some reason. I used mvindexto grab the first entry and ran cidrmatch() with success.

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-12-2015 08:29 PM

You're welcome, feel free to upvote any useful answers 😉

Reply
Solved! Jump to solution

splunknewby
Path Finder
‎07-12-2015 08:32 PM

Quick question, is there a away to filter for ipv6 addresses?

0 Karma
Reply
Solved! Jump to solution

MuS
Legend
‎07-12-2015 08:40 PM

Sure, for example to use the cidrmatch() for 2001:0000:1234:1234:1234:1fff:2eee:3ddd address, you can just do something like this:

........... | eval network=if(cidrmatch("2001:0000::/32",clientip), "local", "other")
Reply
Solved! Jump to solution

splunknewby
Path Finder
‎07-14-2015 03:47 PM

Hey Mus, is there a way to capture all private ipv6 addresses?

0 Karma
Reply
Get Updates on the Splunk Community!

Index This | I’m short for "configuration file.” What am I?

May 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with a Special ...

New Articles from Academic Learning Partners, Help Expand Lantern’s Use Case Library, ...

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

Your Guide to SPL2 at .conf24!

So, you’re headed to .conf24? You’re in for a good time. Las Vegas weather is just *chef’s kiss* beautiful in ...