https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446212#M177036 <P>You need to do something like this</P> <PRE><CODE>|makeresults | eval ip = 10.10.10.123 (This would obviously be the $address$ from the form) | rex field=ip "(?&lt;address&gt;\d+.\d+.\d+.)\d+" | lookup IPAM-Allnetworks.csv address OUTPUT | table address cidr location VLAN (i.e. interesting fields from CSV) </CODE></PRE> <P>This code assumes that your CSV has a column called "address" in it</P> Wed, 06 Feb 2019 00:51:51 GMT chrisyounger 2019-02-06T00:51:51Z https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446211#M177035 <P>I'm trying to create a dashboard that lets a user input an IP address and then search through the IP address database to search for the subnet and location.</P> <P>e.g. if someone enters 10.10.10.123, it would basically do a search through a csv of "10.10.10."</P> <P>So I've tried this for example (among a 1000 other things)<BR /> | inputlookup IPAM-Allnetworks.csv <BR /> | search address=10.10.10.123 (This would obviously be the $address$ from the form)<BR /> | rex field=address "(?\d+.\d+.\d+.)\d+" <BR /> | where address = src_subnet<BR /> | table address cidr location VLAN (i.e. interesting fields from CSV)</P> <P>Yes, this will only work for /24 subnets, but will cover most use cases. </P> <P>The problem I see is that I need to extract the fields before actually searching. I can see why my search doesn't work but not sure how to fix it. </P> Wed, 06 Feb 2019 00:25:48 GMT https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446211#M177035 horst_poehlmann 2019-02-06T00:25:48Z https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446212#M177036 <P>You need to do something like this</P> <PRE><CODE>|makeresults | eval ip = 10.10.10.123 (This would obviously be the $address$ from the form) | rex field=ip "(?&lt;address&gt;\d+.\d+.\d+.)\d+" | lookup IPAM-Allnetworks.csv address OUTPUT | table address cidr location VLAN (i.e. interesting fields from CSV) </CODE></PRE> <P>This code assumes that your CSV has a column called "address" in it</P> Wed, 06 Feb 2019 00:51:51 GMT https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446212#M177036 chrisyounger 2019-02-06T00:51:51Z https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446213#M177037 <P>Thanks. I tried something similar, but the eval command gives me: </P> <P>Error in 'eval' command: The number 10.10.10.123 is invalid. </P> Wed, 06 Feb 2019 00:59:41 GMT https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446213#M177037 horst_poehlmann 2019-02-06T00:59:41Z https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446214#M177038 <P>Quotes around it worked. I just need to work out how to add a "*" wildcard to the end of the search so that it searches:</P> <P>address=10.10.10.*</P> Wed, 06 Feb 2019 01:09:16 GMT https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446214#M177038 horst_poehlmann 2019-02-06T01:09:16Z https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446215#M177039 <P>You need to show a couple of sample rows from your lookup so we can help you better. I assumed the lookup had an "address" column with just the first three octets in the column</P> Wed, 06 Feb 2019 01:18:45 GMT https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446215#M177039 chrisyounger 2019-02-06T01:18:45Z https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446216#M177040 <P>Sorry. The lines look something like this:</P> <P>network,10.10.10.0,255.255.255.0,10.10.10.0/255.255.255.0,,,,,,Core/Server Room,,,,,FALSE,,,,,,,,,FALSE,FALSE,,,,,,,FALSE,LAN Addressing,,,,95,85,0,10,,,,,,,,,,,,,Site ABC,,OVERRIDE,432,,Voice Vlan222,*,OVERRIDE</P> <P>I'm searching on field 2 (address).<BR /> Thx</P> Thu, 07 Feb 2019 02:22:18 GMT https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446216#M177040 horst_poehlmann 2019-02-07T02:22:18Z https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446217#M177041 <P>The lines of the lookup table look something like this:</P> <P>network,10.10.10.0,255.255.255.0,10.10.10.0/255.255.255.0,,,,,,Core/Server Room,,,,,FALSE,,,,,,,,,FALSE,FALSE,,,,,,,FALSE,LAN Addressing,,,,95,85,0,10,,,,,,,,,,,,,Site ABC,,OVERRIDE,432,,Voice Vlan222,*,OVERRIDE</P> <P>I'm searching on field 2 (which is the "address" field).</P> <P>I sort of got it working by adding a "0" to the extracted field, e.g.</P> <P>|makeresults <BR /> | eval ip = "10.10.10.123"<BR /> | rex field=ip "(?\d+.\d+.\d+.)\d+" <BR /> | eval address=address1."0"<BR /> | lookup IPAM-Allnetworks address OUTPUT <BR /> | table </P> <P>but is there a way to do a wildcard search instead? (i.e. 10.10.10.*)</P> <P>Thx</P> <P>PS: Not sure what happened to the previous comments.</P> Thu, 07 Feb 2019 23:08:06 GMT https://community.splunk.com/t5/Splunk-Search/Modify-search-string-from-input-field-to-search-IP-addr-db/m-p/446217#M177041 horst_poehlmann 2019-02-07T23:08:06Z