Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

How to normalize the IPs in lookup table which is in CIDR notation ?

AL3Z
Builder
‎12-19-2022 04:22 AM

IPs in lookup table

3.124.56/32

64.37.99.0/24

55.63.24.7/16

 How to edit my search to Exclude  an IPs  from outside to a Subnet IP in a lookup file?

Labels (1)
Labels
0 Karma
Reply

scelikok
SplunkTrust
SplunkTrust
‎01-17-2023 05:24 AM

Hi @AL3Z,

You can easily use inputlookup command. Assuming your subnets is in subnets.csv lookup with ip field.  And your events are in src_ip field.

| search [|inputlookup subnets.csv | rename ip as src_ip]

 

If this reply helps you an upvote and "Accept as Solution" is appreciated.
0 Karma
Reply

starcher
Influencer
‎12-19-2022 05:34 AM

Follow the Splunk docs to setup your lookup with a lookup definition and match type of CIDR for that column.

https://docs.splunk.com/Documentation/Splunk/9.0.2/Knowledge/Usefieldlookupstoaddinformationtoyourev...

Then use the lookup as a lookup. The pattern is usually like the below to filter where in the lookup,

MYSEARCH
| lookup mylookup src OUTPUTNEW src as toFilter
| where isnotnull(toFilter)

  

Reply

yuanliu
SplunkTrust
SplunkTrust
‎01-17-2023 12:25 PM

To add to @starcher's instructions, I recently made this screenshot to help another question; the only difference is file name.

lookup-cidr.pngAs shown here, you need to check "Advanced options" in order to set up CIDR match type.

As you are looking for non-matching entries, your filter should be isnull as opposed to isnotnull.

MYSEARCH
| lookup mylookup src OUTPUTNEW src as toFilter
| where isnull(toFilter)

 

0 Karma
Reply

AL3Z
Builder
‎01-17-2023 04:54 AM

@balu1211 

0 Karma
Reply
Get Updates on the Splunk Community!

Observe and Secure All Apps with Splunk

  Join Us for Our Next Tech Talk: Observe and Secure All Apps with SplunkAs organizations continue to innovate ...

Splunk Decoded: Business Transactions vs Business IQ

It’s the morning of Black Friday, and your e-commerce site is handling 10x normal traffic. Orders are flowing, ...

Fastest way to demo Observability

I’ve been having a lot of fun learning about Kubernetes and Observability. I set myself an interesting ...