Splunk Search

Match IP address in Splunk to IP range in CSV


index=logs ip_address=*
has single ip addresses like

CSV file:
range, owner Owner1 Owner2

How can I correlate ip_address to CIDR in CSV file?

I guess we need to use CIDR_match and input lookup function somewhere.

0 Karma

Esteemed Legend

Run this search:

|makeresults | eval raw=" Owner1:: Owner2
| makemv delim="::" raw
| mvexpand raw
| rex field=raw"^(?<range>\S+)\s+(?<owner>.*)$"
| table range owner
| outputlookup MyLookup.csv

You now have a Lookup file.

Create a Lookup definition like this:
Settings -> Lookups -> Lookup definitions -> New
Give it a name like MyLookup and select File-based for Type and MyLookup.csv for Lookup file.
Click Advanced options checkbox.
Enter CIDR(range) for Match type.
Click thegreen Save button.
You now have a Lookup definition.

Create an Automatic lookup like this:
Settings -> Lookups -> Automatic lookups -> New
Give it a name like MyLookup_ip_address_TO_owner.
Select MyLookup for Lookup table (yes, it is mislabeled).
Enter your sourcetype for Named.
Enter range on the left and ip_address on the right under Lookup input fields.
Enter owner on the left under Lookup output fields
Check (or not) the Overwrite field values box.
Click the green Save button.
You now have an Automatic lookup.

Wait 10 minutes.

0 Karma


The best way to do this is to configure your lookup table to perform CIDR matching. Here is a good example of how to do that:

This will allow you to just use | lookup ip_address... like normal, but it will use CIDR matching under the hood.

0 Karma


so how would you rewrite my query?

0 Karma


After you've configured your lookup to use CIDR matching, let's say you called your lookup ip_owner. If you have a base search already and just want to retain the events from your search that match the CIDRs in the lookup:

your base search 
| lookup ip_owner range AS ip_address OUTPUT owner
| where isnotnull(owner)
0 Karma
Get Updates on the Splunk Community!

Streamline Data Ingestion With Deployment Server Essentials

REGISTER NOW!Every day the list of sources Admins are responsible for gets bigger and bigger, often making the ...

Remediate Threats Faster and Simplify Investigations With Splunk Enterprise Security ...

REGISTER NOW!Join us for a Tech Talk around our latest release of Splunk Enterprise Security 7.2! We’ll walk ...

Introduction to Splunk AI

WATCH NOWHow are you using AI in Splunk? Whether you see AI as a threat or opportunity, AI is here to stay. ...