Are you a member of the Splunk Community?
- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Lookup Source IP or Destination IP value
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Greetings,
My journey continues. Now I would like to have a lookup match either the source or destination IP to an internal department.
This works for src_ip:
transforms.conf
[ipam]
filename = ipam.csv
match_type = CIDR(src_ip)
props.conf
[pan_threat]
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
ipam.csv
src_ip,Dept
10.1.15.0/24,Dept 1
10.1.16.0/24,Dept 1
10.8.1.0/18,Dept 2
10.9.1.0/19,Dept 3
Now I would like to do the same with destination IP.
I tried:
transforms.conf
[dst_ip]
filename = ipam.csv
match_type = CIDR(dst_ip)
props.conf
[pan_threat]
LOOKUP-dst_ip = ipam dst_ip OUTPUTNEW Dept AS Department
ipam.csv
dst_ip,src_ip,Dept
10.1.15.0/24,10.1.15.0/24,Dept 1
10.1.16.0/24,10.1.16.0/24,Dept 1
10.8.1.0/18,10.8.1.0/18,Dept 2
10.9.1.0/19,10.9.1.0/19,Dept 3
But no luck. Thoughts on this would be very much appreciated!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The secret sauce on this was the class name - they have to be different but the field name can be the same. Precedent will take place if src and dst are both in the 10.x.x.x range (in above example)
[cisco_asa]
LOOKUP-ipam_source = ipam_src src_ip OUTPUTNEW Dept AS Department
LOOKUP-ipam_destination = ipam_dest dest_ip OUTPUTNEW Dept AS Department
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The secret sauce on this was the class name - they have to be different but the field name can be the same. Precedent will take place if src and dst are both in the 10.x.x.x range (in above example)
[cisco_asa]
LOOKUP-ipam_source = ipam_src src_ip OUTPUTNEW Dept AS Department
LOOKUP-ipam_destination = ipam_dest dest_ip OUTPUTNEW Dept AS Department
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go back to what you have at the top. You don't want a field declared as a source type.
I would also change your lookup table back to single column as you have in first example. Change src_ip field header to just ip.
Then change this:
LOOKUP-ipam = ipam src_ip OUTPUTNEW Dept AS Department
To:
LOOKUP-ipam_src = ipam ip AS src_ip OUTPUTNEW Dept AS Src_Department
LOOKUP-ipam_dest = ipam ip AS dest_ip OUTPUTNEW Dept AS Dest_Department
That will auto lookup your src_ip and dest_ip as ip from the file and return the results prefixed appropriately as Src_Department and Dest_Department.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the answer starcher, however, what I really want is one field "Department".
Thanks
[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions
Shape the Future of Splunk: Join the Product Research Lab!
Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal
