Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

How to reference Splunk lookup question for cidrmatch?

cybersecnutant
Explorer
‎07-31-2023 06:23 PM

I have a lookup file called prefixes.csv, and it has about 5 headers:

prefix,location,description,owner
"1.0.0.0/8",usa,"corporate things", "joe schmoe"

I want to be able to reference this file so that, for example, if I am looking at firewall logs, I can ignore or , alternatively, specifically look for events where their src_ip falls into these ranges.

So for example, something like:

index=firewall src_ip=* | search NOT [ |inputlookup | field + prefix | rename prefix as src_ip]

I know that I can do something like this if I had every range expanded for single entries per IP, but is there a way to do this with cidr? I have tried doing the lookup definition route but I think I am missing something or misunderstanding something there.

Thanks in advance

__PRESENT

Labels (1)
Labels
Tags (1)
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎07-31-2023 06:47 PM

1.0.0.0/8 is a CIDR notation.  Splunk lookup fully supports it.  See Create a CSV lookup definition about how to setup "prefix" field as type CIDR.

View solution in original post

0 Karma
Reply
Solved! Jump to solution
Solution

yuanliu
SplunkTrust
SplunkTrust
‎07-31-2023 06:47 PM

1.0.0.0/8 is a CIDR notation.  Splunk lookup fully supports it.  See Create a CSV lookup definition about how to setup "prefix" field as type CIDR.

0 Karma
Reply
Solved! Jump to solution

cybersecnutant
Explorer
‎01-03-2024 02:01 PM

Looks like I just needed to set up the definition for 1 particular file that was I using for testing versus the others which already were set up. Thank you

0 Karma
Reply
Get Updates on the Splunk Community!

Your Voice Matters! Help Us Shape the New Splunk Lantern Experience

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

September Community Champions: A Shoutout to Our Contributors!

As we close the books on another fantastic month, we want to take a moment to celebrate the people who are the ...

Community Content Calendar, October Edition

Welcome to the October edition of our Community Spotlight! The Splunk Community is a treasure trove of ...