Splunk Search

How to eval using cidrmatch and lookup file

wtaylor149
Explorer

First, I don't have access to the cli so I'm not able to use conf files to make this work. I can work with the team that does have that access but if it can be accomplished using search strings, that's my preference.

I have a csv file, has two columns.
a) internal_network_name - example (cust_vpn)
b) subnet - example (192.168.1.0/24)

I want to use my firewall (eventually other indexes as well) index to determine the network_name of the source or destintaion that is identified in the lookup file. So the search query must eval the src and dest and if it falls in the range of subnets, tell me which one it is and if not, state something clever like "notLocal".

I use the cidrmatch command in other searches but this one is giving me a fit. Thanks Splunkers for your help, you guys / gals have always come through when needed.

jmallorquin
Builder

Hi,

For use CIDR, first of all you have to configure the lookup with this kind of match
http://docs.splunk.com/Documentation/Splunk/6.4.0/Admin/Transformsconf

> match_type = <string>
> * A comma and space-delimited list of <match_type>(<field_name>)  
> specification to allow for non-exact
> matching
> * The available match_type values are WILDCARD, CIDR, and EXACT.  EXACT is  
> the default and does not need to be
> specified.  Only fields that should  
> use WILDCARD or CIDR matching should
> be specified in this list

After you do that, you can use your lookup as you want.

Hope i help you

0 Karma

wtaylor149
Explorer

Much appreciate the reply. The reason I didn't go this route is that I don't have access to Splunk to be able to diddle the transform.conf file, I only have access to the gui. Looks like I'll have to work with the Splunk Admins to work this out.

0 Karma

wtaylor149
Explorer

Anyone out there?

0 Karma

axin
New Member

Did you even find a solution to this? I'm actually trying to accomplish the same

0 Karma

wtaylor149
Explorer

Axin, no I did not. The use case kinda got scrapped so I dropped this one. I'm looking to try this out on another use case coming up so I'll post back if I get this working.

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...