Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Group IP addresses in CIDR format

jevenson
Path Finder
‎08-02-2012 11:40 AM

I'm trying to group IP address results in CIDR format. Most likely I'll be grouping in /24 ranges. Is there an easy way to do this? Maybe some regex?

For example, if I have two IP addresses like 10.10.3.5 and 10.10.3.50 I want them to be counted in the 10.10.3.0/24 range, and then see how many IP's are in each range.

Tags (1)
Reply
1 Solution
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-04-2012 07:16 PM

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet

View solution in original post

Reply
Solved! Jump to solution

jcoates_splunk
Splunk Employee
Splunk Employee
‎04-11-2016 11:45 AM 
REGEX IP ADDRESS
\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}

REGEX RFC1918 IP ADDRESS
(192\.168\.)\d{1,3}\.\d{1,3}|(10\.)\d{1,3}\.\d{1,3}\.\d{1,3}|(172\.1[6-9]\.)\d{1,3}\.\d{1,3}|(172\.2[0-9]\.)\d{1,3}\.\d{1,3}|(172\.3[0-1]\.)\d{1,3}\.\d{1,3}

REGEX NON-RFC1918 IP ADDRESS
 \d{1,3}(?<!10|255)\.\d{1,3}\.\d{1,3}\.\d{1,3}
|\d{1,3}\.\d{1,3}(?<!192\.168|255\.255)\.\d{1,3}\.\d{1,3}
Reply
Solved! Jump to solution

anewell
Path Finder
‎01-04-2013 10:09 AM

I believe there is a minor typo in the first example. In the second line of the Case clause, the period should be a comma:


yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

0 Karma
Reply
Solved! Jump to solution
Solution

lguinn2
Legend
‎08-04-2012 07:16 PM

If there are a limited number of subnets that you want to count, you could do it this way

yoursearchhere
| eval subnet="no match"
| eval subnet=case(cidrmatch("10.10.3.0/24",ip),"10.10.3",
                   cidrmatch("10.10.17.0/24",ip),"10.10.17")
| stats count by subnet

This assumes that the field containing the ip addresses is named ip. It will work for any CIDR-notated subnet. You can add as many cases as you like to the case function.

If you want to simply count by the first 3 octets, you could do it this way:

yoursearchhere
| rex field=ip "(?<subnet>\d+\.\d+\.\d+)\.\d+"
| stats count by subnet
Reply
Solved! Jump to solution

jevenson
Path Finder
‎08-08-2012 09:22 AM

That second regex search worked great, thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Join Us for Splunk University and Get Your Bootcamp Game On!

If you know, you know! Splunk University is the vibe this summer so register today for bootcamps galore ...

.conf24 | Learning Tracks for Security, Observability, Platform, and Developers!

.conf24 is taking place at The Venetian in Las Vegas from June 11 - 14. Continue reading to learn about the ...

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...