Splunk Search
Highlighted

Filter results by IP address from 3 lookup

Engager

Hello

i have one trouble, i went to extract IP address that not in Lookup of list servers and not in lookup of list network devices, and this IP must match with list of Subnet define in lookup. the gol of this request it's to find unknown IP address.

this is structure of lookup CSV

         Subnet.csv

Attribution Plage

SubnetX 10.10.0.0/16
Subnety 10.15.0.0/16
Subnetz 10.18.0.0/16

          server.csv

Hostname IP_addresses

Host1 10.10.15.35
Host2 10.15.15.35
Host3 10.18.15.35

          network.csv

Hostname IP_addresses

network1 10.10.16.35
network2 10.15.17.35
network3 10.18.18.35

for exemple if on my index i find IP like 10.18.18.36 that IP is not on server.csv and network.csv but match with subnet 10.18.0.0/16 i went to send ALERT but if this IP exist on lookup server or network isn't a problem.

this is my request :

index="DNS" 
|dedup dns_ip
|rename dns_ip as IP_addresses
|search [| inputlookup subnet.csv | fields Plage| rename Plage as IP_addresses]
  NOT
    [|inputlookup server.csv|fields IP_addresses] 
  OR NOT
  [|inputlookup Network.csv | fields IP_addresses]

  | table IP_addresses

But this request give me all IP on lookup network and lookup server and match with lookup subnet, please any one can help me?

0 Karma
Highlighted

Re: Filter results by IP address from 3 lookup

Builder

Hello,
In the description, you mention network.csv, but when you show the content of the csv files, server.csv has two different contents.
I suppose one of the two is in fact network.csv. Can you please update so I can have a look?

Highlighted

Re: Filter results by IP address from 3 lookup

Engager

Hi yes you are right.
i have update the content of my request now you can look

thank you for your help

0 Karma
Highlighted

Re: Filter results by IP address from 3 lookup

Engager

Hello

can you help if you have any information about this request please

0 Karma
Highlighted

Re: Filter results by IP address from 3 lookup

SplunkTrust
SplunkTrust

First, set up your CIDR lookup. There's a description of that in this one ... https://answers.splunk.com/answers/618756/how-to-use-lookup-for-cidr-ip-addresses.html. and this one ... https://answers.splunk.com/answers/618756/how-to-use-lookup-for-cidr-ip-addresses.html

Second, search your CIDR first. After all, you only want to alert if it matches the subnet. If is does not match the subnet(s), then throw it away

Finally, search the known lists. In each case, if it matches, throw it away.

0 Karma