Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to define a constant variable for internal IP addresses for all apps and searching?

jcrochon
Explorer
‎08-07-2018 03:20 PM

I’m looking for a way to define a constant to use as a variable when searching.

Such defined as:

define LocalIPs = 10.10.0.0/16, 192.168.0.0/16, 128.131.0.0/16

Search as:

search src_ip=LocalIPs | top src_ip,dest_ip
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-07-2018 03:37 PM

save your list in a csv lookup in a column named src_ip and list your ip's
after that in your search you can then use:

 [|inputlookup local_ips.csv] | top src_ip,dest_ip

this will translate to 

(src_ip=10.10.0.0/16 OR src_ip=192.168.0.0/16 OR src_ip=128.131.0.0/16) | top src_ip,dest_ip
------------
Hope I was able to help you. If so, some karma would be appreciated.

View solution in original post

Reply
Solved! Jump to solution
Solution

diogofgm
SplunkTrust
SplunkTrust
‎08-07-2018 03:37 PM

save your list in a csv lookup in a column named src_ip and list your ip's
after that in your search you can then use:

 [|inputlookup local_ips.csv] | top src_ip,dest_ip

this will translate to 

(src_ip=10.10.0.0/16 OR src_ip=192.168.0.0/16 OR src_ip=128.131.0.0/16) | top src_ip,dest_ip
------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

jcrochon
Explorer
‎08-08-2018 02:26 PM

Is there an option in the interface to define this?

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎08-09-2018 12:40 AM

Just create your csv and upload it via splunk lookup menu.
Also, you can you the app lookup editor to create it and maintain it.

------------
Hope I was able to help you. If so, some karma would be appreciated.
0 Karma
Reply
Solved! Jump to solution

jcrochon
Explorer
‎08-09-2018 06:14 AM

P. S. What if I wanted to switch from local src_ip to dest_ip?

Would this work:
dest_ip=[| inputlookup local_ips.csv]

0 Karma
Reply
Solved! Jump to solution

diogofgm
SplunkTrust
SplunkTrust
‎08-09-2018 06:42 AM

[|inputlookup local_ips.csv | rename src_ip AS dest_ip] | ...

------------
Hope I was able to help you. If so, some karma would be appreciated.
Reply
Solved! Jump to solution

jcrochon
Explorer
‎08-09-2018 09:59 AM

Thanks again for all the help.

0 Karma
Reply
Solved! Jump to solution

jcrochon
Explorer
‎08-09-2018 06:06 AM

Thank you.

0 Karma
Reply
Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...