- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Re: Match IP address in Splunk to IP range in CSV
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Match IP address in Splunk to IP range in CSV
index=logs ip_address=*
has single ip addresses like 5.9.100.100
CSV file:
range, owner
5.9.0.0/24 Owner1
5.10.64.0/24 Owner2
How can I correlate ip_address to CIDR in CSV file?
I guess we need to use CIDR_match and input lookup function somewhere.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Run this search:
|makeresults | eval raw="5.9.0.0/24 Owner1::5.10.64.0/24 Owner2
| makemv delim="::" raw
| mvexpand raw
| rex field=raw"^(?<range>\S+)\s+(?<owner>.*)$"
| table range owner
| outputlookup MyLookup.csv
You now have a Lookup file.
Create a Lookup definition like this:
Settings -> Lookups -> Lookup definitions -> New
Give it a name like MyLookup and select File-based for Type and MyLookup.csv for Lookup file.
Click Advanced options checkbox.
Enter CIDR(range) for Match type.
Click thegreen Save button.
You now have a Lookup definition.
Create an Automatic lookup like this:
Settings -> Lookups -> Automatic lookups -> New
Give it a name like MyLookup_ip_address_TO_owner.
Select MyLookup for Lookup table (yes, it is mislabeled).
Enter your sourcetype for Named.
Enter range on the left and ip_address on the right under Lookup input fields.
Enter owner on the left under Lookup output fields
Check (or not) the Overwrite field values box.
Click the green Save button.
You now have an Automatic lookup.
Wait 10 minutes.
PROFIT!
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The best way to do this is to configure your lookup table to perform CIDR matching. Here is a good example of how to do that:
https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html
This will allow you to just use | lookup ip_address... like normal, but it will use CIDR matching under the hood.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
so how would you rewrite my query?
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
After you've configured your lookup to use CIDR matching, let's say you called your lookup ip_owner. If you have a base search already and just want to retain the events from your search that match the CIDRs in the lookup:
your base search
| lookup ip_owner range AS ip_address OUTPUT owner
| where isnotnull(owner)
Enterprise Security Content Update (ESCU) | New Releases
Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?
Index This | What are the 12 Days of Splunk-mas?
