Splunk newbie here....
Looking to determine IP Segment Name using a lookup table. I have a csv file that has three fields: from
- to
- segment Name
. From
= start of ip_range, to
= last ip address in the range and segment Name
is the Name for the ip_range.
In my search I have a src
and that src
= ip_address. So, my end result is to have the segment Name
added to my results table when the src ip falls between from
and to
.
My search at the moment:
index=symantec sourcetype=dlp:policy_monitor | table _time id app action category src src_host dest
Current Table Results:
2015-06-10 12:00:00 46522 Endpoint HTTPS None SSN 1.2.3.15 my_laptop "some_website"
My lookup file:
all_networks.csv
The contents are many but the gist of it:
from segment Name to
1.2.3.4 My_Local_Network 1.2.3.255
So my desired end result would be:
2015-06-10 12:00:00 46522 Endpoint HTTPS None SSN 1.2.3.15 my_laptop "some_website" "segment Name"
Thanks in advance!
Hi wtaylor149,
take a look at this answer, where it is explained how to use a match_type = CIDR()
for a lookup http://answers.splunk.com/answers/93620/lookup-with-cidr.html
cheers, MuS
What you really need is a CIDR lookup.
Restructure your lookup to have 2 columns:
segment, segment_name
1.2.3.0/24, bob's network
1.2.4.0/24, bill's network
Then, create a lookup definition (in transforms.conf), and set match_type=cidr
.
More info: http://docs.splunk.com/Documentation/Splunk/6.2.3/Knowledge/Addfieldsfromexternaldatasources
Thanks for the quick reply. I will try this today once I create all the cidr blocks in the csv file. I was being lazy and didn't want to do that. 🙂
HeHe, I'm too slow in the morning 🙂