- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Add Field to Result based on lookup with CIDRM...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Add Field to Result based on lookup with CIDRMATCH in Lookup file
Hi,
i try to find the correct way to query a lookup file based on a where clause with CIDRMATCH.
I have the following scenario:
We have a lookup table that contains a mapping between our customers and IP Address ranges that are assigned to them. So, the lookup table looks like the following example:
CusomterName Prefix
Customer A 10.1.1.0/24
Customer B 172.16.42.0/16
Customer C 192.168.1.0/24
Additionally, we have sFlow Data that contains explicit IP Addresses as source and destination information. We would like to add a field to each event that holds the CustomerName based on a cidrmatch query of the source or dest IP Address.
I can query the lookup table with cidrmatch to get the required information with the following query:
| inputlookup tenants.csv
| where (cidrmatch(myprefix,"10.66.148.3"))
| fields customer
| dedup customer
And I can query the sFlow Data to show the Connections information that comes from the sFlow Data, but I didn’t find a way to combine these two queries to get the result I want.
For example, I tried it with eval and inputlookup:
source="stream:sflow" | eval Customer=[| inputlookup tenants.csv | where (cidrmatch(myprefix,dest_ip)) | fields customer ]
Maybe someone can give me a hint how this should or can work!
Thanks in advance
Stefan
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the answers are totally stupid I never find any relevant response in this community. He is asking about using CIDR for a lookup table that contains ranges.... No splunk documentation about it!!!!
Try to improve ur documentation please
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can not perform a CIDR match for a lookup without first creating a lookup definition and specifying which field is a wildacard(cidr) match.
In order to do what you want, you must create a lookup definition first.
At that point you can use the lookup like this:
| lookup tenants_definition_name prefix as dest_ip OUTPUT CustomerName as Customer
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
source="stream:sflow"
| lookup tenants.csv prefix as dest_ip OUTPUT CusomterName as Cusomter
| search Cusomter="*"
cf.
lookup cidr
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks, but your query misses the cidrmatch function. I have to match the ip address to the cidr notation!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
have you see the link?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
yes, i saw it! But is there also a way to do the same directly in SPL?
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
