Hello,
I am trying to do a firewall search for all src ips and match those ips to a subnet range that is in a lookup table. The final ouput would be a table that shows src_ip, the subnet location and count.
search:
| stats count by src_ip | lookup networks.csv lookup_ip OUTPUT subnet_desc | table src_ip,subnet_desc,count | sort 20 -num("count")
networks.csv
lookup_ip,subnet_loc
10.0.0.0\24,home
10.0.1.0\24,office
Current Final Output:
src_ip ,subnet location, count
10.0.0.15,,5
10.0.1.20,,4
Intended final output:
src_ip ,subnet location, count
10.0.0.15,home,5
10.0.1.20,office,4
Splunk does a string match by default, hence your lookup statement is failing to match IP address to CIDR subnet value. To make the CIDR match, you'd need to setup a lookup definition on top of your lookup table csv file, which will do a CIDR match. Refer to following Splunk answer post for steps to setting up the same.
https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
Splunk does a string match by default, hence your lookup statement is failing to match IP address to CIDR subnet value. To make the CIDR match, you'd need to setup a lookup definition on top of your lookup table csv file, which will do a CIDR match. Refer to following Splunk answer post for steps to setting up the same.
https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html