- Splunk Answers
- :
- Splunk Administration
- :
- Getting Data In
- :
- Re: How can I use Subnets.csv file of 100 subnets,...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How can I use Subnets.csv file of 100 subnets, instead of adding each in IP search command?
I want to create a Splunk dashboard for 100 subnets in the CSV file. But not able to use this CSV file in my Splunk query.
Example:
CSV file: Subnets.csv
Simple splunk query to generate results without csv file for only 3 subnets:
index=firewall (IP="10.10.10.*" OR IP="10.10.20.*" OR IP="100.100.20.*") (Status=allow)
| stats count(IP) by Status
How can I use Subnets.csv file of 100 subnets, instead of adding each in IP search command?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
UPDATE:
index=firewall [| inputlookup Subnets.csv | fields IP | format] Status=allow | stats count(IP) by Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This doesn't give any results. 😞
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Assuming IP field with subnet values exist in Subnets.csv like below.
IP
10.10.10.*
10.10.20.*
00.100.20.*
......
Try this search:
index=firewall [| inputlookup Subnets.csv | eval IP=replace(IP,"\d+/\d+", "*") | fields IP] Status=allow | stats count(IP) by Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Actually the Subnets are like below in CIDR format.
10.10.10.0/24
10.10.20.128/28
00.100.20.0/25
so above search doesn't work. Any suggestions ?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Better query:
index=firewall [| inputlookup Subnets.csv | eval IP=replace(IP,"\d+/\d+", "*") | fields IP | format] Status=allow | stats count(IP) by Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tried both methods, but it's not giving expected results. So I have just used notepad++ feature to replace all subnets ending with "star" from column to single row. and now all 100 subnets ending with "star" are in single row.
Like:
IP="10.10.10." OR IP="10.10.20." OR IP="100.100.20.*".....
Although it's not 100% exact, but close to exact, and working.
Thanks manjunathmeti.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check this query:
index=firewall [| inputlookup Subnets.csv | eval IP=replace(IP,"\d+/\d+", "*") | fields IP] Status=allow | stats count(IP) by Status
This will run as:
index=firewall (IP="10.10.10.*" OR IP="10.10.20.*" OR IP="100.100.20.* OR ....") Status=allow | stats count(IP) by Status
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Replace last part (0/24) of IP with * and use.
index=firewall [| inputlookup Subnets.csv | eval IP="IP=".replace(IP,"\d+/\d+", "*") | fields IP | mvcombine delim=" OR " IP | nomv IP | return $IP] Status=allow | stats count(IP) by Status
More Control Over Your Monitoring Costs with Archived Metrics!
New in Observability Cloud - Explicit Bucket Histograms
Updated Team Landing Page in Splunk Observability
