Match mix of CIDR Ips and IPv4 Ips from a lookup t...

dwibedi03 · ‎12-15-2020

I have a lookup table which consists of src_ip. This source Ip has mix of Ips in the format:

Src_ip

163.74.7.212

163.74.13.57

67.75.175.32/27

68.143.151.125/26

I need to match this lookup table to my search which consists of the field src_ip in my data. But how do i do that since it is a mix of cidr and normal ips? My actual data for src_ip doesnt consits of cidr ips. Can someone let me know ?

bowesmana · ‎12-15-2020

@dwibedi03

Can you convert all your non CIDR ips in the lookup file to add /32 to the end to make them all CIDR format.

In that way you can set your lookup with the advanced lookup option CIDR(Src_ip) and just do the lookup, which will find it.

dwibedi03 · ‎12-16-2020

@bowesmana : I thought of doing that but I didn't know how to use the lookup after that. Can you explain me in detail about the advanced lookup option?

bowesmana · ‎12-16-2020

@dwibedi03

You have a lookup file, says ips.csv and then you create a lookup definition (which is an abstraction layer on top of the lookup file). Connect it to the actual file itself and then set the Src_ip field to be a CIDR type field like this

then just use the lookup definition in the lookup command, not the file itself, so

base search
| lookup ips Src_ip as src_ip output Src_ip as ipFound
...

so this assumes your event field is src_ip and the CSV file has a column called Src_ip. After this executes, you will have a new field ipFound if the IP exists in the CIDR range of one of the ranges, or null if not.

You can then do this

| where isnull(ipFound)

to see if it was NOT found

Match mix of CIDR Ips and IPv4 Ips from a lookup to search

eval

lookup

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life