Solved: How to do a firewall search for all src ips and ma...

jleibow · ‎07-30-2018

Hello,

I am trying to do a firewall search for all src ips and match those ips to a subnet range that is in a lookup table. The final ouput would be a table that shows src_ip, the subnet location and count.

search:

| stats count by src_ip | lookup networks.csv lookup_ip OUTPUT subnet_desc | table src_ip,subnet_desc,count | sort 20 -num("count")

networks.csv
lookup_ip,subnet_loc
10.0.0.0\24,home
10.0.1.0\24,office

Current Final Output:
src_ip ,subnet location, count
10.0.0.15,,5
10.0.1.20,,4

Intended final output:
src_ip ,subnet location, count
10.0.0.15,home,5
10.0.1.20,office,4

somesoni2 · ‎07-30-2018

Splunk does a string match by default, hence your lookup statement is failing to match IP address to CIDR subnet value. To make the CIDR match, you'd need to setup a lookup definition on top of your lookup table csv file, which will do a CIDR match. Refer to following Splunk answer post for steps to setting up the same.

https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html

View solution in original post

somesoni2 · ‎07-30-2018

Splunk does a string match by default, hence your lookup statement is failing to match IP address to CIDR subnet value. To make the CIDR match, you'd need to setup a lookup definition on top of your lookup table csv file, which will do a CIDR match. Refer to following Splunk answer post for steps to setting up the same.

https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html

How to do a firewall search for all src ips and match those ips to a subnet range that is in a lookup table?

Updated Team Landing Page in Splunk Observability

New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...