i have one trouble, i went to extract IP address that not in Lookup of list servers and not in lookup of list network devices, and this IP must match with list of Subnet define in lookup. the gol of this request it's to find unknown IP address.
this is structure of lookup CSV
for exemple if on my index i find IP like 10.18.18.36 that IP is not on server.csv and network.csv but match with subnet 10.18.0.0/16 i went to send ALERT but if this IP exist on lookup server or network isn't a problem.
this is my request :
index="DNS" |dedup dns_ip |rename dns_ip as IP_addresses |search [| inputlookup subnet.csv | fields Plage| rename Plage as IP_addresses] NOT [|inputlookup server.csv|fields IP_addresses] OR NOT [|inputlookup Network.csv | fields IP_addresses] | table IP_addresses
But this request give me all IP on lookup network and lookup server and match with lookup subnet, please any one can help me?
In the description, you mention network.csv, but when you show the content of the csv files, server.csv has two different contents.
I suppose one of the two is in fact network.csv. Can you please update so I can have a look?
First, set up your CIDR lookup. There's a description of that in this one ... https://answers.splunk.com/answers/618756/how-to-use-lookup-for-cidr-ip-addresses.html. and this one ... https://answers.splunk.com/answers/618756/how-to-use-lookup-for-cidr-ip-addresses.html
Second, search your CIDR first. After all, you only want to alert if it matches the subnet. If is does not match the subnet(s), then throw it away
Finally, search the known lists. In each case, if it matches, throw it away.