Splunk Search

Group IP addresses in CIDR format

jevenson
Path Finder

I'm trying to group IP address results in CIDR format. Most likely I'll be grouping in /24 ranges. Is there an easy way to do this? Maybe some regex?

For example, if I have two IP addresses like 10.10.3.5 and 10.10.3.50 I want them to be counted in the 10.10.3.0/24 range, and then see how many IP's are in each range.

Tags (1)
1 Solution

lguinn2
Legend

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet

View solution in original post

jcoates_splunk
Splunk Employee
Splunk Employee
REGEX IP ADDRESS
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

REGEX RFC1918 IP ADDRESS
(192\.168\.)\d{1,3}\.\d{1,3}|(10\.)\d{1,3}\.\d{1,3}\.\d{1,3}|(172\.1[6-9]\.)\d{1,3}\.\d{1,3}|(172\.2[0-9]\.)\d{1,3}\.\d{1,3}|(172\.3[0-1]\.)\d{1,3}\.\d{1,3}

REGEX NON-RFC1918 IP ADDRESS
 \d{1,3}(?<!10|255)\.\d{1,3}\.\d{1,3}\.\d{1,3}
|\d{1,3}\.\d{1,3}(?<!192\.168|255\.255)\.\d{1,3}\.\d{1,3}

anewell
Path Finder

I believe there is a minor typo in the first example. In the second line of the Case clause, the period should be a comma:


yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

0 Karma

lguinn2
Legend

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet

jevenson
Path Finder

That second regex search worked great, thanks!

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...