Splunk Search

Adding lookups to App?

ddecker03
Loves-to-Learn Everything

Ok not sure if in the right section.  

So I have been using Zeek for Splunk and TA_suricata and we are getting a lot of IPs of course.   And I built out some IPs and CIDR in csv.  What is the best way to add into the app or should it be a seperate lookup that could be used anywhere?   

Not sure if there is differance between IP lookup vs CIDR lookup.   

Was also thinking of merging the apps in to one app, but that might be another question for a later day.

 

Thanks

Labels (2)
0 Karma

bowesmana
SplunkTrust
SplunkTrust

Also, if you're not aware, there is a lookup editor app, that will allow you to edit lookups directly in Splunk

https://splunkbase.splunk.com/app/1724/

 

0 Karma

bowesmana
SplunkTrust
SplunkTrust

Wherever you place the lookup, it can be made global, so can be used anywhere.

In Settings->Lookup->Lookup table files, you can upload a new CSV file, which can then be used as a lookup.

To make a CIDR lookup, you will need to create a lookup definition based on that CSV file and add 

CIDR(fieldname) 

in the advanced options so that field is treated as a CIDR for lookup.

The fundamental difference between IP lookup and CIDR lookup, is that unless you configure the IPs as CIDR ranges and configure the field as CIDR as above, then it's really just a string match on the field containing the IP address.

The benefit of using a CIDR is that you can potentially reduce the size of the lookup, unless of course all the CIDR entries are IP/32.

I tend to use a common app with common definitions, macros and lookups to store entities that have general reuse across Splunk.

0 Karma

ddecker03
Loves-to-Learn Everything

Is it easy to use a combination of the two IP/CIDR.  

So for like internal IPs we have the of course IPs.  

External we have some IPs but also CIDRs. Need to get the data to play with it I guess.

 

0 Karma
Get Updates on the Splunk Community!

Splunk Forwarders and Forced Time Based Load Balancing

Splunk customers use universal forwarders to collect and send data to Splunk. A universal forwarder can send ...

NEW! Log Views in Splunk Observability Dashboards Gives Context From a Single Page

Today, Splunk Observability releases log views, a new feature for users to add their logs data from Splunk Log ...

Last Chance to Submit Your Paper For BSides Splunk - Deadline is August 12th!

Hello everyone! Don't wait to submit - The deadline is August 12th! We have truly missed the community so ...