Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to exclude traffic with src_ip or dest_ip using lookup file

imst27
Observer
2 weeks ago

Hi,

I’m building a search on the Network_Traffic datamodel to detect high outbound flows (>1 GB).
I need to exclude a list of known backup / AWS ranges, and the exclusion should apply if either src_ip or dest_ip matches any of them.

Right now my query looks like this (shortened for readability):

| tstats `security_content_summariesonly`
    sum(All_Traffic.bytes_out) as bytes_out
  from datamodel=Network_Traffic
  where All_Traffic.action=allowed
  by All_Traffic.src_ip All_Traffic.dest_ip _time span=1d
| `drop_dm_object_name("All_Traffic")`
| where bytes_out > 1073741824
| where NOT (
    cidrmatch("<internal_backup_subnet>/24", src_ip) OR cidrmatch("<internal_backup_subnet>/24", dest_ip)
 OR cidrmatch("<external_backup_subnet>/24", src_ip) OR cidrmatch("<external_backup_subnet>/24", dest_ip)
 … etc …
)
| table _time src_ip src_port dest_ip dest_port transport app vlan bytes_gb dvc rule action user dest_interface src_interface direction src_zone dest_zone
 

This works, but the WHERE NOT block is huge (I’ve got 40+ CIDRs).

I tried to utilized inputlookup and lookup file but failed, the lookup file backup-subnet-test.csv structure are as follow

subnetcomment
<subnet>/28comment1
<subnet>/20comment2
<subnet>/32comment3
 
Question
  • Is it possible to use a lookup file for this case? I want to use the lookup file (backup-subnet-test.csv) to exclude traffic if either src_ip or dest_ip matches a subnet in the lookup.
  • Or is there a cleaner way to apply the CIDR lookup once against both fields?

Thanks a lot in advance!

Labels (3)
Labels
0 Karma
Reply

PrewinThomas
Motivator
2 weeks ago

@imst27 

Yes the lookup approach is much better. Its better to simplify giant cidrmatch() block into two clean lookup calls, one for src_ip and one for dest_ip.

Eg:

| lookup backup_subnets subnet as src_ip OUTPUT comment as src_match
| lookup backup_subnets subnet as dest_ip OUTPUT comment as dest_match
| where isnull(src_match) AND isnull(dest_match)
| table _time src_ip dest_ip src_match dest_match

Regards,
Prewin
If this answer helped you, please consider marking it as the solution or giving a Karma. Thanks!

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Decoded: Service Maps vs Service Analyzer Tree View vs Flow Maps

It’s Monday morning, and your phone is buzzing with alert escalations – your customer-facing portal is running ...

What’s New in Splunk Observability – September 2025

What's NewWe are excited to announce the latest enhancements to Splunk Observability, designed to help ITOps ...

Fun with Regular Expression - multiples of nine

Fun with Regular Expression - multiples of nineThis challenge was first posted on Slack #regex channel ...