topic Re: How do I create a search, excluding a list of CIDR ranges? in Splunk Search

How do I create a search, excluding a list of CIDR ranges?

Skeer-Jamf — Wed, 10 Aug 2022 15:30:07 GMT

So I'm trying to create a metrics search using the following query:

index="test" identities="ident_*" src=10.11.40.0/22 OR src=10.11.48.0/22 OR src=10.11.56.0/22 OR src=10.11.64.0/22 OR src=10.11.72.0/22 OR src=10.120.40.0/22 OR src=10.120.48.0/22 OR src=10.120.56.0/22 OR src=10.120.64.0/22 OR src=10.15.8.0/22 OR src=10.15.40.0/22 OR src=10.15.48.0/22 OR src=10.15.56.0/22 OR src=10.15.72.0/22 OR src=10.15.76.0/22 OR src=10.15.80.0/22 | top src | outputlookup test-excludes-no-dedup.csv

I then take the CSV and use it here:

index="test" identities="ident_*" NOT [ inputlookup test-excludes-no-dedup.csv ] | top src

Is this the correct way to [exclude] the CIDR ranges contained within the lookup CSV? I get some results doing this but here it is, almost 1AM and I'm starting to question whether OR is correct. Maybe I should be using AND?

I want to find all the 'src' items that are not in those CIDR ranges in the CSV.. am I going about it correctly?

Re: Query syntax help, excluding a list of CIDR ranges..

bowesmana — Wed, 10 Aug 2022 05:03:08 GMT

Firstly, if your 'src' field contains IP addresses, then you cannot use src=CIDR_RANGE in your search, unless the 'src' field itself is actually that string.

If your intention is to have a lookup that contains a list of CIDR ranges, then simply create the lookup, e.g. like this

| makeresults | eval src=split("10.11.40.0/22,10.11.48.0/22,10.11.56.0/22,10.11.64.0/22,10.11.72.0/22,10.120.40.0/22,10.120.48.0/22,10.120.56.0/22,10.120.64.0/22,10.15.8.0/22,10.15.40.0/22,10.15.48.0/22,10.15.56.0/22,10.15.72.0/22,10.15.76.0/22, 10.15.80.0/22", ",") | mvexpand src | table src | outputlookup test-excludes.csv

Then create a lookup definition and in the advanced settings, set the match type field to CIRT(src)

Then in your code you can do

search... | lookup test-excludes src OUTPUT src as found | where isnull(found)

which will then have 'src' IP addresses that are NOT in the ranges of the lookup

Re: Query syntax help, excluding a list of CIDR ranges..

Skeer-Jamf — Wed, 10 Aug 2022 12:42:13 GMT

Oh wow, I was way off! This is awesome.. I'm new to the more advanced query so definitely appreciate you. I do get a good long list of src's now. When I try to add a | top src to this to get a nice simple metric list I'm back to less than 10. So I'm pretty sure my metrics attempt is breaking things since this short list looks super similar to the one I'd get last night.

Maybe I should just keep it as Events..

Re: Query syntax help, excluding a list of CIDR ranges..

Skeer-Jamf — Wed, 10 Aug 2022 15:27:37 GMT

Can I ask you something else related? If I perform everything you outlined above exactly, I get a nice healthy Events list. If I add
| top src

I get a list of 9 src's, with their counts. I have the page row size at 50, but only get 9.

Now if I add:
| top limit=100 src

I get two pages worth of src's with counts. I was assuming that by not including 'limit' that the search would return all results, but that doesn't seem to be happening here.

Any thoughts on how I can correctly return every SRC that's not in that lookup without setting a limit=?

Re: How do I create a search, excluding a list of CIDR ranges?

ITWhisperer — Wed, 10 Aug 2022 16:44:31 GMT

You could try using a where command post search

Not sure if the AND should be OR though

Re: How do I create a search, excluding a list of CIDR ranges?

Skeer-Jamf — Wed, 10 Aug 2022 18:22:39 GMT

Hmm, same result. Well now it's 10 src's with a 50 per page setting. Trying like earlier, adding top limit=100 src returns 100.

So for w/e reason it's still not wanting to dump all the results w/o limit.

Re: How do I create a search, excluding a list of CIDR ranges?

ITWhisperer — Wed, 10 Aug 2022 20:41:11 GMT

top defaults to 10 results - try

| top 0 src