topic Re: Match mix of CIDR Ips and IPv4 Ips from a lookup to search in Splunk Search

Match mix of CIDR Ips and IPv4 Ips from a lookup to search

dwibedi03 — Tue, 15 Dec 2020 16:43:29 GMT

I have a lookup table which consists of src_ip. This source Ip has mix of Ips in the format:

Src_ip

163.74.7.212

163.74.13.57

67.75.175.32/27

68.143.151.125/26

I need to match this lookup table to my search which consists of the field src_ip in my data. But how do i do that since it is a mix of cidr and normal ips? My actual data for src_ip doesnt consits of cidr ips. Can someone let me know ?

Re: Match mix of CIDR Ips and IPv4 Ips from a lookup to search

bowesmana — Tue, 15 Dec 2020 23:03:31 GMT

@dwibedi03

Can you convert all your non CIDR ips in the lookup file to add /32 to the end to make them all CIDR format.

In that way you can set your lookup with the advanced lookup option CIDR(Src_ip) and just do the lookup, which will find it.

Re: Match mix of CIDR Ips and IPv4 Ips from a lookup to search

dwibedi03 — Wed, 16 Dec 2020 13:52:16 GMT

@bowesmana : I thought of doing that but I didn't know how to use the lookup after that. Can you explain me in detail about the advanced lookup option?

Re: Match mix of CIDR Ips and IPv4 Ips from a lookup to search

bowesmana — Thu, 17 Dec 2020 03:29:26 GMT

@dwibedi03

You have a lookup file, says ips.csv and then you create a lookup definition (which is an abstraction layer on top of the lookup file). Connect it to the actual file itself and then set the Src_ip field to be a CIDR type field like this

then just use the lookup definition in the lookup command, not the file itself, so

base search | lookup ips Src_ip as src_ip output Src_ip as ipFound ...

so this assumes your event field is src_ip and the CSV file has a column called Src_ip. After this executes, you will have a new field ipFound if the IP exists in the CIDR range of one of the ranges, or null if not.

You can then do this

| where isnull(ipFound)

to see if it was NOT found