Splunk Search

Match IP address in Splunk to IP range in CSV

Explorer

index=logs ip_address=*
has single ip addresses like 5.9.100.100

CSV file:
range, owner
5.9.0.0/24 Owner1
5.10.64.0/24 Owner2

How can I correlate ip_address to CIDR in CSV file?

I guess we need to use CIDR_match and input lookup function somewhere.

0 Karma

Esteemed Legend

Run this search:

|makeresults | eval raw="5.9.0.0/24 Owner1::5.10.64.0/24 Owner2
| makemv delim="::" raw
| mvexpand raw
| rex field=raw"^(?<range>\S+)\s+(?<owner>.*)$"
| table range owner
| outputlookup MyLookup.csv

You now have a Lookup file.

Create a Lookup definition like this:
Settings -> Lookups -> Lookup definitions -> New
Give it a name like MyLookup and select File-based for Type and MyLookup.csv for Lookup file.
Click Advanced options checkbox.
Enter CIDR(range) for Match type.
Click thegreen Save button.
You now have a Lookup definition.

Create an Automatic lookup like this:
Settings -> Lookups -> Automatic lookups -> New
Give it a name like MyLookup_ip_address_TO_owner.
Select MyLookup for Lookup table (yes, it is mislabeled).
Enter your sourcetype for Named.
Enter range on the left and ip_address on the right under Lookup input fields.
Enter owner on the left under Lookup output fields
Check (or not) the Overwrite field values box.
Click the green Save button.
You now have an Automatic lookup.

Wait 10 minutes.
PROFIT!

0 Karma

The best way to do this is to configure your lookup table to perform CIDR matching. Here is a good example of how to do that:
https://answers.splunk.com/answers/305211/how-to-match-an-ip-address-from-a-lookup-table-of.html

This will allow you to just use | lookup ip_address... like normal, but it will use CIDR matching under the hood.

0 Karma

Explorer

so how would you rewrite my query?

0 Karma

After you've configured your lookup to use CIDR matching, let's say you called your lookup ip_owner. If you have a base search already and just want to retain the events from your search that match the CIDRs in the lookup:

your base search 
| lookup ip_owner range AS ip_address OUTPUT owner
| where isnotnull(owner)
0 Karma