Solved

Searching for data from a particular IP range using Splunk

Posted on 2014-10-21
1
2,426 Views
Last Modified: 2014-11-02
I use Splunk 6 (free) for some basic keyword searching.  Generally I just add a specific IP address and a keyword, and I get a hit if it has been indexed.  My IP ranges are usually Class C, and I just used something like 10.10.10.* when wanting to search for that particular keyword in the subnet.

Recently I needed to do searches found in much larger IP ranges.  For example 101.2.176.0 to 101.2.191.255.
How would I define that range with Splunk?  I have looked at some articles, and there they used 101.2.176.0/20 format, but for the life of me I am unable to get it to work in my Splunk searches.

So, if my keyword was "error", and my range was 101.2.176.0 to 101.2.191.255, how would I add that to a Splunk search?
0
Comment
Question by:hbcit
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
1 Comment
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 40396391
Probably tab on the answers.splunk forum for such queries, I input the "ip range" to search in the forum as below.
http://answers.splunk.com/search.html?f=&redirect=search%2Fsearch&sort=relevance&q=ip+range&type=question

Some may be useful below.

Search for multiple IP ranges - using where and cidrmatch or octet range rule
http://answers.splunk.com/answers/13251/search-for-multiple-ip-ranges.html

Using CIDR in a lookup table - Create a CSV lookup table with your subnets
http://answers.splunk.com/answers/5916/using-cidr-in-a-lookup-table.html

Conditional search for multiple IP ranges e.g. IP regex such as regex clientaddress="10\.([1-9]|[1-9][0-9]|1[0-9][0-9]|200)\.([8-9][0-9]|1[0-9][0-9])\.(2(3[1-9]|4[0-9]|5[0-4]))"
http://answers.splunk.com/answers/13251/search-for-multiple-ip-ranges.html
0

Featured Post

Do you have a plan for Continuity?

It's inevitable. People leave organizations creating a gap in your service. That's where Percona comes in.

See how Pepper.com relies on Percona to:
-Manage their database
-Guarantee data safety and protection
-Provide database expertise that is available for any situation

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you're not part of the solution, you're part of the problem.   Tips on how to secure IoT devices, even the dumbest ones, so they can't be used as part of a DDoS botnet.  Use PRTG Network Monitor as one of the building blocks, to detect unusual…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question