Splunk Search

Lookup table question

xvxt006
Contributor

Hi, i have a lookup table where i have the below values

My questions are:
When i specify CIDR block would it work? or do i need to specify each ip?
we have set of internal ips which you can see in the below table. I have specified .* in the IPs. For example 10.*.Would it consider all the ips that start with 10.
is it possible to specify a NOT logic? meaning NOT all the internal requests as external. so it would be ^10.*

WhitelistIPs    clientip
Company XXX 63.122.163.0/27 
Company YYYY    63.158.163.8
Company YYYY    64.274.165.6 
Company YYYY    38.172.74.18 
Company YYYY    12.298.108.202
Company YYYY    67.247.113.226
Company ZZZZ    74.189.118.39
Company ZZZZ    74.129.118.40
Internal    10.* 
Internal    167.115.*
Internal    192.168.*
Internal    63.85.20.233
Tags (1)
0 Karma

theouhuios
Motivator

You can use cidrmatch("65.222.163.0/27",clientip) for exact matches. For something which starts with 10, you can use match(). Example : match(Internal, "10.\d{1,3}.\d{1,3}.\d{1,3}")

You can use NOT logic too.

0 Karma

theouhuios
Motivator

Yup that's right.

0 Karma

Ayn
Legend

You can't both have wildcard matching and cidr - it has to be one of them (and you need to specify that in transforms.conf)

0 Karma

theouhuios
Motivator

It will depend. I guess you would need to set up your loookup in a way that it can give the clientip as output along with WhitelistIps. So for clientip as Input, both Clientip and WhitelistIp's need to be output. Then you can use the above functions and play around.

Do accept the answer if it works for you. Thanks

0 Karma

xvxt006
Contributor

Thank you !!!. But all of this i can use in the Lookup spreadsheet?

where clientip is the input filed and WhitelistIPs is the output field..

so the data would be like this?
WhitelistIPs clientip
Company XXX cidrmatch("65.222.163.0/27",clientip)
Company YYYY 63.158.163.8

0 Karma
Get Updates on the Splunk Community!

Cloud Platform | Customer Change Announcement: Email Notification Will Be Available ...

The Notification Team is migrating our email service provider since currently there’s no support ...

Mastering Synthetic Browser Testing: Pro Tips to Keep Your Web App Running Smoothly

To start, if you're new to synthetic monitoring, I recommend exploring this synthetic monitoring overview. In ...

Splunk Edge Processor | Popular Use Cases to Get Started with Edge Processor

Splunk Edge Processor offers more efficient, flexible data transformation – helping you reduce noise, control ...