Knowledge Management
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Automatic lookup, matching range field?

drejoe
Explorer
‎08-21-2018 06:27 AM

Hi,

I would like to enriche netflow data (i.e. dst ip, dst port) with "service name", using automatic lookup.
My lookup looks like the following example:

IP             PORT_RANGE         SERVICENAME
x.x.x.x/32     1024,1048          ServiceA
y.y.y.y/30     80,80              ServiceB
z.z.z.z/31     8000,8999          ServiceC

OR the lookup could be with two PORT fields:

IP             PORT_MIN      PORT_MAX     SERVICENAME
x.x.x.x/32     1024          1048         ServiceA
y.y.y.y/30     80            80           ServiceB
z.z.z.z/31     8000          8999         ServiceC

Matching the IP is easy with match_type CIDR, BUT how-to match the port range???
Don't mind which of the two examples above to implement a solution for 😉
Or the solution could be a complete 3th solution.

Looking forward fore some bright answers,
Thanks,
//Torben

0 Karma
Reply

JDukeSplunk
Builder
‎08-21-2018 10:13 AM

It sounds like a job for a lookup table. I don't know if you can do ranges in a lookup table..

https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/LookupexampleinSplunkWeb

You may have to have a line entry for each port in the csv file to get it working. Not the best solution, but it is simple and might be the only solution.

So your csv lookup file might look like... And with excel if you enter two cells with consecutive numbers, you can click the corner and drag down to populate up to the number you like. 

port,servicename
1024,ServiceA
1025,ServiceA
1026,ServiceA
1027,ServiceA
1028,ServiceA
1029,ServiceA
1030,ServiceA
1031,ServiceA
1032,ServiceA

etc...

Then you can either do an inline |inputlookup or do an automatic search that will create a new field called "ServiceName" or whatever.

0 Karma
Reply

drejoe
Explorer
‎08-21-2018 01:15 PM

Hi,

Thanks for the answer.

I've already tried this solution (before posting the question) with one line per port. But the amount of combinations is huge - millions of lines which won't work at all.

That's why I need another solution - a solution that can handle this ranges instead of "unfolding" all combinations.

0 Karma
Reply
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...