Highlighted
Artem Frequent Contributor.
Frequent Contributor.
341 views

How compare IP with multiple subnets

Hello!

I need a help. 

I need to compare IP with several subnets and put a comparison result in a separate field of the report. 

For example: there is IP 1.1.1.1 it should be compared with 1.1.1.0/24 - servers, 2.2.2.0/24 - workstations, 3.3.3.0 / 24-network equipment, 4.4.4.0 / 24-work stations on the street, 5.5. 5.0 / 24 storage server and so on. As a result, I need to get 1.1.1.1, the server.

Tell me, are there any ideas?

Labels (1)
0 Likes
7 Replies
Knowledge Partner
Knowledge Partner

Re: How compare IP with multiple subnets

You can use a variable with conditionalEvaluation funciton. ConditionalEvaluation takes three arguments:

- a filter which acts as a condition
- a return value if the condition check is true
- a return value if the condition check is false

Alternatively, you can use evaluateVelocityTemplate variable and perform a string match. It should be something like this:

#if($destinationAddress.matches('1\.1\.1\.\d+'))Workstation#elseif($destinationAddress.matches('5\.5\.5\.\d+'))Servers#else NoMatch#end

 

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Artem Frequent Contributor.
Frequent Contributor.

Re: How compare IP with multiple subnets

It is not good idea, because I have 300+ subnets.... 

0 Likes
Knowledge Partner
Knowledge Partner

Re: How compare IP with multiple subnets

You need to do asset&network modelling then.  The following videos can help as a starting point:

https://www.youtube.com/watch?v=qn9n6UmfpNw
https://www.youtube.com/watch?v=MFpgTOwgjNE

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
Artem Frequent Contributor.
Frequent Contributor.

Re: How compare IP with multiple subnets

This is a very long way. I repeat that I have 300+ subnets. This will be the last thing I do. I knew about it, but so far I have not specifically used this method.

0 Likes
Knowledge Partner
Knowledge Partner

Re: How compare IP with multiple subnets

I don't think there is an easier way. If all your subnets are /24, maybe you can use active lists.

1- create an active list with 2 fields. first field is the network part (e.g, 1.1.1), second field is the name of networ. first field should be the key field. 

2- In your rule:
a. create a variable which takes the IP address and converts it into a string.
b. create a second variable which returns the network part of the first variable.
c. create a third variable which takes the second variable as a key and returns the value of it from the active list you created. 
d. use 3rd variable for your rule actions.

------------------------------------
Please use the Like button below, if you find this post useful or mark it as an accepted solution if it resolves your issue.
0 Likes
Artem Frequent Contributor.
Frequent Contributor.

Re: How compare IP with multiple subnets

 

 Unfortunately, not all subnets are /24... There are /23, /18 etc...

0 Likes
mschleich Acclaimed Contributor.
Acclaimed Contributor.

Re: How compare IP with multiple subnets

Hi Artem,

 

The best solution and I would say the unique solution because you have 300 subnets, all other solutions would be too long, too impacting, etc... is what told you using the Asset/Network Model.

Personally, I just use Zones because I don't have an Asset DB.

You have different solutions to do that but with the Asset SmartConnector, you prepare your 300 subnets into a proper csv file and you create all Zones.

Then with the Zone ArcSight Function you can identify in which Zone your IP will belong too but you will be able to do it differently in using the sourceZoneName 

Because the purpose of the Asset/Network Model is to add contextual info based on the location of the host or their purpose just based on the IP.

You have to use this method to achieve what you would like.

Thanks
Regards

Michael

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.