Solved: Re: How to define a constant variable for internal...

jcrochon · ‎08-07-2018

I’m looking for a way to define a constant to use as a variable when searching.

Such defined as:

define LocalIPs = 10.10.0.0/16, 192.168.0.0/16, 128.131.0.0/16

Search as:

search src_ip=LocalIPs | top src_ip,dest_ip

diogofgm · ‎08-07-2018

save your list in a csv lookup in a column named src_ip and list your ip's
after that in your search you can then use:

 [|inputlookup local_ips.csv] | top src_ip,dest_ip

this will translate to

(src_ip=10.10.0.0/16 OR src_ip=192.168.0.0/16 OR src_ip=128.131.0.0/16) | top src_ip,dest_ip

------------
Hope I was able to help you. If so, some karma would be appreciated.

diogofgm · ‎08-07-2018

save your list in a csv lookup in a column named src_ip and list your ip's
after that in your search you can then use:

 [|inputlookup local_ips.csv] | top src_ip,dest_ip

this will translate to

(src_ip=10.10.0.0/16 OR src_ip=192.168.0.0/16 OR src_ip=128.131.0.0/16) | top src_ip,dest_ip

------------
Hope I was able to help you. If so, some karma would be appreciated.

jcrochon · ‎08-08-2018

Is there an option in the interface to define this?

diogofgm · ‎08-09-2018

Just create your csv and upload it via splunk lookup menu.
Also, you can you the app lookup editor to create it and maintain it.

------------
Hope I was able to help you. If so, some karma would be appreciated.

jcrochon · ‎08-09-2018

P. S. What if I wanted to switch from local src_ip to dest_ip?

Would this work:
dest_ip=[| inputlookup local_ips.csv]

diogofgm · ‎08-09-2018

[|inputlookup local_ips.csv | rename src_ip AS dest_ip] | ...

------------
Hope I was able to help you. If so, some karma would be appreciated.

jcrochon · ‎08-09-2018

Thanks again for all the help.

jcrochon · ‎08-09-2018

Thank you.

How to define a constant variable for internal IP addresses for all apps and searching?