Getting Data In
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Using cidrmatch with a CSV file throws error.

ImanIself
Explorer
‎11-30-2010 12:13 AM

I am trying to match a list of CIDR ranges in a csv file to hosts that are going outbound on our network...basically trying to see if there are any naughty hosts trying to go to Russia. The search command is as follows:

sourcetype="cisco_syslog" | eval Fhost=cidrmatch([inputcsv rrcidrlist], cisco_dsthost)

When i run this the following error is returned: Error in 'eval' command: The number 46.19.104.0 is invalid.

The 46.19.104.0 just so happens to be the first IP in the list, however its doesn't appear to be reading the /21 at the end. Again, it doesn't appear to be reading the 46.19.104.0/21 CIDR range. There are no spaces in the CSV file. The documentation indicates that the double quotes should be used around the CIDR range however i have tried them everywhere and nothing seems to work. Any help would be greatly appreciated. Noobly appreciated 🙂

Tags (1)
Reply

hammon0u
Explorer
‎05-03-2011 12:31 PM

You can use the MAXMIND application to lookup IP against the MAXMIND db and report on anything that returns a lookup to Russia or China etc. You can even find the City in Russia where the packet went.

0 Karma
Reply

gkanapathy
Splunk Employee
Splunk Employee
‎11-30-2010 01:25 AM

The arguments to cidrmatch must be passed as strings, and therefore must be quoted. The results from your subsearch probably looks like:

( ( 46.19.104.0/21 ) )

or

( ( 46.19.104.0/21 ) OR ( 1.2.3.4/21 ) OR ... )

Anyway, the point is subsearch doesn't expand the way you think it does, and if you have multiple values, it is even less likely to work the way you think.

What you really need is:

sourcetype=ciso_syslog [ inputcsv rrcidrlist | fields iprange | rename iprange as cisco_dsthost ]

Which assumes that the fieldname in the CSV file that contains the CIDR ranges is iprange. If it isn't substitute appropriately.

Reply

gkanapathy
Splunk Employee
Splunk Employee
‎12-01-2010 02:38 AM

Yeah, so my example should do what you want.

0 Karma
Reply

ImanIself
Explorer
‎11-30-2010 03:03 PM

I appreciate the quick response. It appears i was going in the wrong direction. Basically I want to compare a CSV list of CIDR ranges to a field which contains hosts attempting to connect externally and return any matches. We want to see if any hosts are attempting to connect to Russia/Romania.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Quantify Your Splunk Investment Impact: Introducing Savings Metrics to Value Insights

Building on the foundation established in our initial Value Insights releases, we are introducing the Savings ...

Event Series: Telemetry Pipeline Management

Balancing Scale and Spend: Gaining Control Over High-Volume Metrics in Splunk Observability Cloud As ...

Kick the Tires Before You Commit: A Hands-On Tour of the Splunk Observability Cloud ...

Evaluating an enterprise observability platform usually goes like this: fill out a form, get a free trial with ...