Splunk Search

Can I use a lookup table of IP ranges + location names to add a location field to network traffic based on IP range?

md_zali
New Member

I have a lookup table of IP ranges with location names. I'm trying to search network traffic and add a "location" field to the result based on what IP range the src_ip falls under. I do not have access to any of the configuration files and would like to know if I can do this within the search.

Example of my lookup table (range_location.csv):
range location
50.106.56.0 /21 site_1

0 Karma

strive
Influencer
0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi md_zali,
yes you can manage location lookup as a normal lookup relating the lookup's IP ranges with the search results.
Bye.
Giuseppe

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi md_zali,
I found a problem using CIDR that usually works in searches but it seems that doesn't match in lookups.
So a workaround is to write each address in a different row.

IP,location
10.10.10.1,site1
10.10.10.2,site1
10.10.10.3,site1
10.10.10.4,site1
10.10.10.5,site1
10.10.10.6,site2
10.10.10.7,site2
10.10.10.8,site2
10.10.10.9,site2
10.10.10.10,site2
...

so you can use a search like this
index=your_index
| lookup range_location.csv range AS IP OUTPUT location
|table _time IP location

Bye.
Giuseppe

0 Karma

md_zali
New Member

Thanks Giuseppe,
Can you please help me with the search?
As mentioned, I need to compare source IPs with the ranges and return the location as a new field.

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...