Solved: Re: Creating a Lookup for respective cidr ranges

cbrissett · ‎07-12-2021

Hi, I am trying to create a query to highlight when specified accounts are used outside of their corresponding IP range by using a csv Lookup table.

For example, user account 'user1' has signed in from source ip 10.0.0.200 but they are only meant to sign in from 10.0.0.0/25 or 11.0.0.0/25 or 12.0.0.0/25, The csv file would be like follows:

User, allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
User1, 10.0.0.0/25, 11.0.0.0/25, 12.0.0.0/25
User 2, 10.0.0.128/25, 11.0.0.128/25
User 3 10.0.1.0/25

Note that some accounts have a single range, some multiple. Does anyone know how I could make an appropriate Lookup command that will only show user accounts that have been used outside of their designated ip ranges?

kamlesh_vaghela · ‎07-12-2021

@cbrissett

Can you please try this example?

I have used lookup named cidr_lookup.csv with below value.

User,allowed_cidr_range1,allowed_cidr_range2,allowed_cidr_range3
User1,10.0.0.0/25,11.0.0.0/25,12.0.0.0/25
User2,10.0.0.128/25,11.0.0.128/25 
User3,10.0.1.0/25

transforms.conf

[cidr_lookup]
filename = cidr_lookup.csv

Search:

YOUR_SEARCH
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
|where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source

My Sample Search :

| makeresults count=255 | eval a=3 | accum a | eval source="10.0.0."+a,User="User1" 
| rename comment as "Upto Now is sample data only" 
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3 
| where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source)) 
| table User source

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

View solution in original post

kamlesh_vaghela · ‎07-12-2021

@cbrissett

Can you please try this example?

I have used lookup named cidr_lookup.csv with below value.

User,allowed_cidr_range1,allowed_cidr_range2,allowed_cidr_range3
User1,10.0.0.0/25,11.0.0.0/25,12.0.0.0/25
User2,10.0.0.128/25,11.0.0.128/25 
User3,10.0.1.0/25

transforms.conf

[cidr_lookup]
filename = cidr_lookup.csv

Search:

YOUR_SEARCH
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3
|where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source))
| table User source

My Sample Search :

| makeresults count=255 | eval a=3 | accum a | eval source="10.0.0."+a,User="User1" 
| rename comment as "Upto Now is sample data only" 
| lookup cidr_lookup User output allowed_cidr_range1, allowed_cidr_range2, allowed_cidr_range3 
| where NOT (cidrmatch(allowed_cidr_range1,source) OR cidrmatch(allowed_cidr_range2,source) OR cidrmatch(allowed_cidr_range3,source)) 
| table User source

Thanks
KV
▄︻̷̿┻̿═━一

If any of my reply helps you to solve the problem Or gain knowledge, an upvote would be appreciated.

cbrissett · ‎07-13-2021

Thanks very much this worked!

Creating a Lookup for respective cidr ranges

eval

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

May 2026 Splunk Expert Sessions: Security & Observability

Network to App: Observability Unlocked [May & June Series]

SPL2 Deep Dives, AppDynamics Integrations, SAML Made Simple and Much More on Splunk ...

Join the Conversation