Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Match IP address with IP in Lookup table and alert

neerajs_81
Builder
‎10-27-2021 02:41 AM

Hello,  We are using ES and we have a lookup file downloaded which has a mix of standalone ip's and CIDRs/Subnets/.  The CSV file has 3 columns :  Description, ip, time

I want to match dest_ip from my search results to any of those IPs in the lookup table ( Column "ip")  and if any matches, the results  should be displayed in a table format

I am using this search 

 

 

 

 

| makeresults count=2
| streamstats count
| eval src_ip = case(count=1,"1.2.3.4", count=2,"2.3.4.5")
| eval dst_ip = case(count=1 OR count=2, "1.234.65.61")
| lookup ip_reputation_list ip as dst_ip OUTPUT ip
| table _time ip

 

 

 

 

   Is the above correct?  The problem i am facing is even if no IPs match, the search results still shows me the _time column  and ip column (as empty) .    How to get the search NOT show any results if IPs don't match in the lookup ,  and secondly can i compare IP with a CIDR in the lookup ?

neerajs_81_0-1635327805447.png

 

Labels (1)
Labels
0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2021 03:14 AM

You could try 

| where ip!=""

Alternatively, try removing the OUTPUT ip to see if you get any fields returned by the lookup?

View solution in original post

Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2021 02:52 AM

Does this work for the first part

| where isnotnull(ip)
0 Karma
Reply
Solved! Jump to solution

neerajs_81
Builder
‎10-27-2021 03:04 AM

If i add

 

| lookup ip_reputation_list ip as dst_ip OUTPUT ip | where isnotnull(ip)
| table _time ip

 

then search results  show  "No results found" for both cases -  ip's that match the Lookup file as well as for those that do no match in the lookup file. That is weird.   Why would it show No results found even for those that match the data in the lookup ? Is it because of a string format issue that isnotnull doesn't recognize ?

 

 

0 Karma
Reply
Solved! Jump to solution
Solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-27-2021 03:14 AM

You could try 

| where ip!=""

Alternatively, try removing the OUTPUT ip to see if you get any fields returned by the lookup?

Reply
Solved! Jump to solution

neerajs_81
Builder
‎10-27-2021 03:47 AM

Thank you very much.  It turns out that both isnotnull() and ip!="" are working, i didn't realize i had mistakenly omitted streamstats just after the |makeresults count=2 command.

 

 

| streamstats count

 

 

 Bit confused as in why is streamstats so important along with makeresults.

Secondly would you know how to match an ip from the search results if its part of CIDR/Subnet in the lookup ?  We are on splunk cloud and i don't have access to transform.conf

0 Karma
Reply
Solved! Jump to solution

ITWhisperer
SplunkTrust
SplunkTrust
‎10-29-2021 04:18 AM 
| makeresults count=2

creates a pipeline with two events

| streamstats count

 counts the events in the pipeline (stream) storing the current count in the count field

This allows the case statements to distinguish which event is which and assign different values depending on which event it is.

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Observability Cloud's AI Assistant in Action Series: Auditing Compliance and ...

This is the third post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Community Badges!

  Hey everyone! Ready to earn some serious bragging rights in the community? Along with our existing badges ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...
Top