Solved: Re: Splunk lookup question for cidrmatch

cybersecnutant · ‎07-31-2023

I have a lookup file called prefixes.csv, and it has about 5 headers:

prefix,location,description,owner
"1.0.0.0/8",usa,"corporate things", "joe schmoe"

I want to be able to reference this file so that, for example, if I am looking at firewall logs, I can ignore or , alternatively, specifically look for events where their src_ip falls into these ranges.

So for example, something like:

index=firewall src_ip=* | search NOT [ |inputlookup | field + prefix | rename prefix as src_ip]

I know that I can do something like this if I had every range expanded for single entries per IP, but is there a way to do this with cidr? I have tried doing the lookup definition route but I think I am missing something or misunderstanding something there.

Thanks in advance

__PRESENT

yuanliu · ‎07-31-2023

1.0.0.0/8 is a CIDR notation. Splunk lookup fully supports it. See Create a CSV lookup definition about how to setup "prefix" field as type CIDR.

View solution in original post

yuanliu · ‎07-31-2023

1.0.0.0/8 is a CIDR notation. Splunk lookup fully supports it. See Create a CSV lookup definition about how to setup "prefix" field as type CIDR.

cybersecnutant · ‎01-03-2024

Looks like I just needed to set up the definition for 1 particular file that was I using for testing versus the others which already were set up. Thank you

How to reference Splunk lookup question for cidrmatch?

lookup

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

.conf24 | Session Scheduler is Live!!

Introducing the Splunk Community Dashboard Challenge!