- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Adding lookups to App?
![ddecker03 ddecker03](https://community.splunk.com/legacyfs/online/avatars/501143.jpg)
Ok not sure if in the right section.
So I have been using Zeek for Splunk and TA_suricata and we are getting a lot of IPs of course. And I built out some IPs and CIDR in csv. What is the best way to add into the app or should it be a seperate lookup that could be used anywhere?
Not sure if there is differance between IP lookup vs CIDR lookup.
Was also thinking of merging the apps in to one app, but that might be another question for a later day.
Thanks
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Also, if you're not aware, there is a lookup editor app, that will allow you to edit lookups directly in Splunk
https://splunkbase.splunk.com/app/1724/
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![SplunkTrust SplunkTrust](/html/@E48BE65924041B382F8C3220FF058B38/rank_icons/splunk-trust-16.png)
Wherever you place the lookup, it can be made global, so can be used anywhere.
In Settings->Lookup->Lookup table files, you can upload a new CSV file, which can then be used as a lookup.
To make a CIDR lookup, you will need to create a lookup definition based on that CSV file and add
CIDR(fieldname)
in the advanced options so that field is treated as a CIDR for lookup.
The fundamental difference between IP lookup and CIDR lookup, is that unless you configure the IPs as CIDR ranges and configure the field as CIDR as above, then it's really just a string match on the field containing the IP address.
The benefit of using a CIDR is that you can potentially reduce the size of the lookup, unless of course all the CIDR entries are IP/32.
I tend to use a common app with common definitions, macros and lookups to store entities that have general reuse across Splunk.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
![ddecker03 ddecker03](https://community.splunk.com/legacyfs/online/avatars/501143.jpg)
Is it easy to use a combination of the two IP/CIDR.
So for like internal IPs we have the of course IPs.
External we have some IPs but also CIDRs. Need to get the data to play with it I guess.
![](/skins/images/89D5ADE867CBAF0B5A525B7E23D83D7E/responsive_peak/images/icon_anonymous_message.png)