Knowledge Management
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Automatic lookup, matching range field?

drejoe
Explorer
‎08-21-2018 06:27 AM

Hi,

I would like to enriche netflow data (i.e. dst ip, dst port) with "service name", using automatic lookup.
My lookup looks like the following example:

IP             PORT_RANGE         SERVICENAME
x.x.x.x/32     1024,1048          ServiceA
y.y.y.y/30     80,80              ServiceB
z.z.z.z/31     8000,8999          ServiceC

OR the lookup could be with two PORT fields:

IP             PORT_MIN      PORT_MAX     SERVICENAME
x.x.x.x/32     1024          1048         ServiceA
y.y.y.y/30     80            80           ServiceB
z.z.z.z/31     8000          8999         ServiceC

Matching the IP is easy with match_type CIDR, BUT how-to match the port range???
Don't mind which of the two examples above to implement a solution for 😉
Or the solution could be a complete 3th solution.

Looking forward fore some bright answers,
Thanks,
//Torben

0 Karma
Reply

JDukeSplunk
Builder
‎08-21-2018 10:13 AM

It sounds like a job for a lookup table. I don't know if you can do ranges in a lookup table..

https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/LookupexampleinSplunkWeb

You may have to have a line entry for each port in the csv file to get it working. Not the best solution, but it is simple and might be the only solution.

So your csv lookup file might look like... And with excel if you enter two cells with consecutive numbers, you can click the corner and drag down to populate up to the number you like. 

port,servicename
1024,ServiceA
1025,ServiceA
1026,ServiceA
1027,ServiceA
1028,ServiceA
1029,ServiceA
1030,ServiceA
1031,ServiceA
1032,ServiceA

etc...

Then you can either do an inline |inputlookup or do an automatic search that will create a new field called "ServiceName" or whatever.

0 Karma
Reply

drejoe
Explorer
‎08-21-2018 01:15 PM

Hi,

Thanks for the answer.

I've already tried this solution (before posting the question) with one line per port. But the amount of combinations is huge - millions of lines which won't work at all.

That's why I need another solution - a solution that can handle this ranges instead of "unfolding" all combinations.

0 Karma
Reply
Career Survey
First 500 qualified respondents will receive a $20 gift card! Tell us about your professional Splunk journey.
Take the Survey

Can’t make it to .conf25? Join us online!

Watch Global Broadcast
Get Updates on the Splunk Community!

Leveraging Automated Threat Analysis Across the Splunk Ecosystem

Enhance Security Operations with Automated Threat Analysis in the Splunk EcosystemAre you leveraging ...

What Is Splunk? Here’s What You Can Do with Splunk

Hey Splunk Community, we know you know Splunk. You likely leverage its unparalleled ability to ingest, index, ...

Level Up Your .conf25: Splunk Arcade Comes to Boston

With .conf25 right around the corner in Boston, there’s a lot to look forward to — inspiring keynotes, ...