I'm using cidrmatch()
to determine whether a particular IP is on a local network, but when I query Splunk it returns nothing even though there are local IP addresses in the ingested data.
I'm running the following query:
index=main | stats count | eval ip=src_addr | eval network=if(cidrmatch("192.168.0.0/16",ip),"Local","Other") | stats count by ip, network
which returns no results, even though there are IP addresses in the 192.168.0.0/16 domain.
What could be the issue?
Could it be that the src_add field is saved a string. Is there a way for Splunk to save that as an IP address field?
index=main | stats count |・・・・
->Field is only to count.
Or maybe a bit more detailed: What @HiroshiSatoh means is, you will loose any fields after the stats count
if you don't define them along side of the stats
. So you will only have a field called count
after the stats count
remove it form your search and it should return results as long you have a field called src_addr
😉
Hey MuS, I tried that and got a few hits. Only I now see a few 192.168.x.x addresses being classified as "Other"?
could it be that you have some multivalue fields or the src_ip field is not always nummeric?
Ah! cheers, my address ingestion is doubling up for some reason. I used mvindex
to grab the first entry and ran cidrmatch()
with success.
You're welcome, feel free to upvote any useful answers 😉
Quick question, is there a away to filter for ipv6 addresses?
Sure, for example to use the cidrmatch() for 2001:0000:1234:1234:1234:1fff:2eee:3ddd address, you can just do something like this:
........... | eval network=if(cidrmatch("2001:0000::/32",clientip), "local", "other")
Hey Mus, is there a way to capture all private ipv6 addresses?