topic Re: What is the correct syntax for excluding a subnet from a search using CIDR notation? in Splunk Search

What is the correct syntax for excluding a subnet from a search using CIDR notation?

jlawsonmers — Thu, 04 Sep 2014 12:59:41 GMT

In trying to learn how to exclude a subnet from a search using CIDR notation, I was directed to this link:
http://answers.splunk.com/answers/130030/how-does-one-search-for-a-cidr-range-of-addresses
which says:
You can't do CIDR defined search on freetext. You can however do it if you have the IP addresses you want to match against in extracted fields. In other words,

10.0.0.0/24

won't work, but

src_ip=10.0.0.0/24

will.

I have a search like this:
"%ASA-4-733100" OR "%ASA-4-733104" OR "%ASA-4-733105" NOT "[ Scanning]" NOT "[ DNS 53]" NOT "[ Port-8191-65535]" NOT "[ NetBIOS-Name 137]"

and I want to exclude the subnet 192.168.0.0/16 (within the fields "_raw" and "host") from the results. How do I do this? What is the correct syntax for the entire search?

Re: What is the correct syntax for excluding a subnet from a search using CIDR notation?

mikaelbje — Thu, 04 Sep 2014 16:36:28 GMT

Hi! Take a look at the cisco_ios app for an example on how to do this. The view in question is called security_acl. It does a lookup on the cisco_ios_excluded_ips.csv file. Check transforms.conf in the app for the stanza referencing the lookup file. There's also lots of extractions for src_ip in there as well that you can have a look at.

Re: What is the correct syntax for excluding a subnet from a search using CIDR notation?

ppablo — Fri, 05 Sep 2014 00:49:22 GMT

Here's the link to the app's page 🙂
http://apps.splunk.com/app/1352/

Re: What is the correct syntax for excluding a subnet from a search using CIDR notation?

mikaelbje — Mon, 28 Sep 2020 17:29:57 GMT

The CSV file:

src_ip
127.0.0.1
192.168.200.0/24

Order matters AFAIK.

Transforms.conf:



[excluded_ips]

filename = excluded_ips.csv

match_type = CIDR(src_ip)

Your search:



"%ASA-4-733100" OR "%ASA-4-733104" OR "%ASA-4-733105" NOT "[ Scanning]" NOT "[ DNS 53]" NOT "[ Port-8191-65535]" NOT "[ NetBIOS-Name 137]" NOT [inputlookup excluded_ips | fields src_ip]

Another example can be found here: http://answers.splunk.com/answers/93779/match_type-cidr-doesnt-seem-to-work

Re: What is the correct syntax for excluding a subnet from a search using CIDR notation?

jlawsonmers — Wed, 10 Sep 2014 18:40:51 GMT

Thanks, that seems helpful. Would someone tell me where to find the security_acl view and transforms.conf?

Re: What is the correct syntax for excluding a subnet from a search using CIDR notation?

mikaelbje — Mon, 28 Sep 2020 17:33:11 GMT

security_acl.xml : https://github.com/inspired/cisco_ios/blob/master/default/data/ui/views/security_acl.xml

Transforms.conf :
https://github.com/inspired/TA-cisco_ios/blob/master/default/transforms.conf

Have a look at my other answer which should be a working solution

Re: What is the correct syntax for excluding a subnet from a search using CIDR notation?

mikaelbje — Thu, 11 Sep 2014 05:18:22 GMT

Note that doing cidr matching on _raw won't work AFAIK. I believe you need a field to look at for CIDR matching

Re: What is the correct syntax for excluding a subnet from a search using CIDR notation?

jlawsonmers — Wed, 17 Sep 2014 18:38:43 GMT

In order to make this work, where should the file "excluded_ips.csv" be placed and where should the file "transforms.conf" be placed?