topic Re: getting ip range lookup in Splunk Search

How to get ip range lookup?

abi2023 — Thu, 24 Aug 2023 17:21:48 GMT

I uploaded csv lookup table has 2 field location and iprange.

iS THERE WAY TO GET WHAT ARE POSSIBLE IP IN EACH RANGE. SO I CAN ENTER IP address it will return the location for that range?

Re: getting ip range lookup

ITWhisperer — Wed, 23 Aug 2023 22:26:03 GMT

How is iprange defined?

Re: getting ip range lookup

bowesmana — Wed, 23 Aug 2023 23:19:04 GMT

If your IP ranges are defined as CIDR ranges then you can make a lookup using the IP range as a CIDR lookup field and then you can give a lookup for an IP address and it will return location.

See the lookup documentation

https://docs.splunk.com/Documentation/Splunk/9.0.3/SearchReference/Lookup

Re: getting ip range lookup

abi2023 — Fri, 25 Aug 2023 16:26:07 GMT

|inputlookup demo.csv
| eval ip = "xx.xxx.xxx.xxx" ```Enter IP address you the Match```
| eval result=if(cidrmatch(ip_range, ip), "true", "false")
| search result="true"

i am using above spl to return result for the ip address associated with the IP range in lookup table. this work fine.

I want do same thing when index=main has field ip which contains IP address. I need to invoke cidrmatch out result assiate with same iprange. how do modifiy my SPL. SINCE lookup table and my index info has nothing in common other than Ip field i have and lookup table has ip tange info. Is there way i can use lookup cammand do this?

Thanks

Re: getting ip range lookup

bowesmana — Fri, 25 Aug 2023 21:46:53 GMT

Yes, you need to make a lookup DEFINITION based on the lookup file. In the advanced options for the definition add CIDR(ip_range)

In your SPL you do

index=main | lookup definition_name ip_range as ip OUTPUT ip_range as found

then you will have the found field as your range if the IP is found or null if not found

so you can do this

| where isnotnull(found)

which will find those that match the range.

Re: getting ip range lookup

alberto-sirt — Thu, 11 Jul 2024 18:58:20 GMT

Hi,

I hope someone can help me, In my case the lookup has a CIDR definition, but the lookup is not matching and I know there is a least one match

this is my line:

| lookup file.csv network AS ip OUTPUT network AS sub_xarxa

thanks in advance

Re: getting ip range lookup

bowesmana — Thu, 11 Jul 2024 23:53:45 GMT

Your lookup command is looking up file.csv, which is NOT the definition.

The lookup file contains the data, the lookup definition is the lens through which you interpret the data in the file.

Re: getting ip range lookup

manjunathmeti — Fri, 12 Jul 2024 05:24:22 GMT

Hi @alberto-sirt,

As @bowesmana said you need to use a lookup definition instead of querying the lookup file itself. You can refer to this example: https://docs.splunk.com/Documentation/Splunk/9.2.2/Knowledge/Addfieldmatchingrulestoyourlookupconfiguration#Example_of_using_match_type_for_IPv6_CIDR_match.

Re: getting ip range lookup

alberto-sirt — Fri, 12 Jul 2024 07:06:16 GMT

Thanks very much. It is solve now.