https://community.splunk.com/t5/Splunk-Search/Creating-a-Lookup-for-respective-cidr-ranges/m-p/559280#M158906 <P>Thanks very much this worked!</P> Tue, 13 Jul 2021 15:12:55 GMT cbrissett 2021-07-13T15:12:55Z https://community.splunk.com/t5/Splunk-Search/Creating-a-Lookup-for-respective-cidr-ranges/m-p/559092#M158830 <P>Hi, I am trying to create a query to highlight when specified accounts are used outside of their corresponding IP range by using a csv Lookup table.</P><P>For example, user account 'user1' has signed in from source ip 10.0.0.200 but they are only meant to sign in from 10.0.0.0/25 or 11.0.0.0/25 or 12.0.0.0/25, The csv file would be like follows:</P><P>User, allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3<BR />User1, 10.0.0.0/25, 11.0.0.0/25, 12.0.0.0/25<BR />User 2, 10.0.0.128/25, 11.0.0.128/25&nbsp;<BR />User 3 10.0.1.0/25</P><P>Note that some accounts have a single range, some multiple. Does anyone know how I could make an appropriate Lookup command that will only show user accounts that have been used outside of their designated ip ranges?</P> Mon, 12 Jul 2021 14:00:40 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-Lookup-for-respective-cidr-ranges/m-p/559092#M158830 cbrissett 2021-07-12T14:00:40Z https://community.splunk.com/t5/Splunk-Search/Creating-a-Lookup-for-respective-cidr-ranges/m-p/559096#M158834 <P><a href="https://community.splunk.com/t5/user/viewprofilepage/user-id/236296">@cbrissett</a>&nbsp;</P><P>Can you please try this example?</P><P>I have used lookup named&nbsp;cidr_lookup.csv with below value.</P><LI-CODE lang="markup">User,allowed_cidr_range1,allowed_cidr_range2,allowed_cidr_range3 User1,10.0.0.0/25,11.0.0.0/25,12.0.0.0/25 User2,10.0.0.128/25,11.0.0.128/25 User3,10.0.1.0/25</LI-CODE><P>&nbsp;</P><P><STRONG>transforms.conf</STRONG></P><LI-CODE lang="markup">[cidr_lookup] filename = cidr_lookup.csv</LI-CODE><P><STRONG>Search:</STRONG></P><LI-CODE lang="markup">YOUR_SEARCH | lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3 |where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source)) | table User source</LI-CODE><P>&nbsp;</P><P><STRONG>My Sample Search :</STRONG></P><LI-CODE lang="markup">| makeresults count=255 | eval a=3 | accum a | eval source="10.0.0."+a,User="User1" | rename comment as "Upto Now is sample data only" | lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3 | where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source)) | table User source</LI-CODE><P>&nbsp;</P><P>Thanks<BR />KV<BR />▄︻̷̿┻̿═━一<BR /><BR />If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.</P> Mon, 12 Jul 2021 14:41:59 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-Lookup-for-respective-cidr-ranges/m-p/559096#M158834 kamlesh_vaghela 2021-07-12T14:41:59Z https://community.splunk.com/t5/Splunk-Search/Creating-a-Lookup-for-respective-cidr-ranges/m-p/559280#M158906 <P>Thanks very much this worked!</P> Tue, 13 Jul 2021 15:12:55 GMT https://community.splunk.com/t5/Splunk-Search/Creating-a-Lookup-for-respective-cidr-ranges/m-p/559280#M158906 cbrissett 2021-07-13T15:12:55Z