Knowledge Management
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
Ask a Question

Automatic lookup, matching range field?

drejoe
Explorer
‎08-21-2018 06:27 AM

Hi,

I would like to enriche netflow data (i.e. dst ip, dst port) with "service name", using automatic lookup.
My lookup looks like the following example:

IP             PORT_RANGE         SERVICENAME
x.x.x.x/32     1024,1048          ServiceA
y.y.y.y/30     80,80              ServiceB
z.z.z.z/31     8000,8999          ServiceC

OR the lookup could be with two PORT fields:

IP             PORT_MIN      PORT_MAX     SERVICENAME
x.x.x.x/32     1024          1048         ServiceA
y.y.y.y/30     80            80           ServiceB
z.z.z.z/31     8000          8999         ServiceC

Matching the IP is easy with match_type CIDR, BUT how-to match the port range???
Don't mind which of the two examples above to implement a solution for 😉
Or the solution could be a complete 3th solution.

Looking forward fore some bright answers,
Thanks,
//Torben

0 Karma
Reply

JDukeSplunk
Builder
‎08-21-2018 10:13 AM

It sounds like a job for a lookup table. I don't know if you can do ranges in a lookup table..

https://docs.splunk.com/Documentation/Splunk/7.1.2/Knowledge/LookupexampleinSplunkWeb

You may have to have a line entry for each port in the csv file to get it working. Not the best solution, but it is simple and might be the only solution.

So your csv lookup file might look like... And with excel if you enter two cells with consecutive numbers, you can click the corner and drag down to populate up to the number you like. 

port,servicename
1024,ServiceA
1025,ServiceA
1026,ServiceA
1027,ServiceA
1028,ServiceA
1029,ServiceA
1030,ServiceA
1031,ServiceA
1032,ServiceA

etc...

Then you can either do an inline |inputlookup or do an automatic search that will create a new field called "ServiceName" or whatever.

0 Karma
Reply

drejoe
Explorer
‎08-21-2018 01:15 PM

Hi,

Thanks for the answer.

I've already tried this solution (before posting the question) with one line per port. But the amount of combinations is huge - millions of lines which won't work at all.

That's why I need another solution - a solution that can handle this ranges instead of "unfolding" all combinations.

0 Karma
Reply
Got questions? Get answers!

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Meet up IRL or virtually!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Get Updates on the Splunk Community!

Announcing Modern Navigation: A New Era of Splunk User Experience

We are excited to introduce the Modern Navigation feature in the Splunk Platform, available to both cloud and ...

Modernize your Splunk Apps – Introducing Python 3.13 in Splunk

We are excited to announce that the upcoming releases of Splunk Enterprise 10.2.x and Splunk Cloud Platform ...

Step into “Hunt the Insider: An Splunk ES Premier Mystery” to catch a cybercriminal ...

After a whole week of being on call, you fell asleep on your keyboard, and you hit a sequence of buttons that ...