- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Client IP to Network Range Lookups & Reporting
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi All 🙂
I may have had too much coffee, because I'm having some trouble getting my head around this one.
I have a some web logs in which I have used Splunk to extract out a list of unique source IP addresses for incoming customer requests, and I would like to find out what ISP the requests originated from.
I have created a csv lookup table from the output of a 'show ip bgp' and a scripted 'whois' that is structured as follows:
<network-range>,<as-number>,<isp-name>
eg. 223.165.96.0/19,9268,Over The Wire Pty Ltd
So as far as my caffeine-riddled bloodsystem can tell I need to:
- Compare the IP address to the network-range in the lookup table
eg. The IP address 223.165.96.2 will be a unique match, as will 223.165.96.78.
- Lookup the
as-numberorisp-nameas my report sees fit - Do a count on the number of entries per unique ISP
eg. Two from the example listed above.
- Make a purdy pie graph showing what percentage of users came from where
...and I'm stuck on... step 1.
Is it possible to evaluate to see if a client_ip is present in a network range that is in an external lookup table, or am I going to need to script this up?
I'm running 4.2 and I have seen the cidrmatch command as well as the Splunk>Answers "How to best determine IP range membership?", however when dealing with 100,000+ routes I'm not sure this is the correct tool or way to do this.
As always, any help or suggestions gratefully received 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As of Splunk 4.2 you can specify a match_type for a lookup in transforms.conf. See http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf
Setting the match_type to CIDR for your IP range field is probably what you are looking for.
transforms.conf:
[mylookup]
filename = isp.csv
match_type = CIDR(network-range)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As of Splunk 4.2 you can specify a match_type for a lookup in transforms.conf. See http://www.splunk.com/base/Documentation/latest/Admin/Transformsconf
Setting the match_type to CIDR for your IP range field is probably what you are looking for.
transforms.conf:
[mylookup]
filename = isp.csv
match_type = CIDR(network-range)
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yep, that worked a treat! Interesting sidenote... the change to use:
match_type = CIDR(network-range)
Can't be done via the GUI which is fine, however if you make any changes in the GUI after doing this (eg. max_matches = 1), then the transforms.conf is reset to the values that may ONLY be set via the GUI.
That is to say, I lost my match_type command.
Thanks again 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Ziegfried, I'll give that a try and let you know 🙂
New Case Study Shows the Value of Partnering with Splunk Academic Alliance
How to Monitor Google Kubernetes Engine (GKE)
Index This | How can you make 45 using only 4?
