There are several extensions that Sentinel Log Manager has implemented for searching on IP addresses. Specifically, there are a number of convenient ways to specify IP address ranges. These are explained in the following sections:
Sentinel Log Manager supports the Classless Inter-Domain Routing (CIDR) notation as a search value for IP address fields such as sip (initiator IP) and dip (target IP) for specifying an IP address range. The notation uses a combination of an IP address and a mask, as follows:
xxx.xxx.xxx.xxx/n
In this notation, n is the number of high order bits in the value to match. For example, consider the following query:
sip:10.0.0.0/24
This query returns events whose sip field is an IPv4 address ranging from 10.0.0.0 to 10.0.0.255.
You can use only the asterisk character (*) in the IP address search values to specify ranges of IP addresses. You cannot use the question mark (?) character.
In IPv4 addresses, an asterisk (*) can be used at any of the positions in the quad format. For example, all of the following queries are valid on the sip field:
sip:10.*.80.16
sip:10.02.*.*
sip:10.*.80.*
If an asterisk (*) is used in one of the quad positions in an IPv4 address, it cannot be combined with other digits. For example, all of the following queries are invalid:
sip:10.*7.80.16
sip:10.10*.80.16
Because the question mark (?) is not allowed, the following queries are invalid:
sip:10.10?.80.16
sip:10.?.80.16