Splunk Search

Match mix of CIDR Ips and IPv4 Ips from a lookup to search

dwibedi03
Explorer

I have a lookup table which consists of src_ip. This source Ip has mix of Ips in the format:

Src_ip
163.74.7.212
163.74.13.57
67.75.175.32/27 
68.143.151.125/26 

 

I need to match this lookup table to my search which consists of the field src_ip in my data. But how do i do that since it is a mix of cidr and normal ips? My actual data for src_ip doesnt consits of cidr ips. Can someone let me know ?

Labels (2)
Tags (3)
0 Karma

bowesmana
Champion

@dwibedi03 

Can you convert all your non CIDR ips in the lookup file to add /32 to the end to make them all CIDR format.

In that way you can set your lookup with the advanced lookup option CIDR(Src_ip) and just do the lookup, which will find it.

 

dwibedi03
Explorer

@bowesmana : I thought of doing that but I didn't know how to use the lookup after that. Can you explain me in detail about the advanced lookup option?

0 Karma

bowesmana
Champion

@dwibedi03 

You have a lookup file, says ips.csv and then you create a lookup definition (which is an abstraction layer on top of the lookup file). Connect it to the actual file itself and then set the Src_ip field to be a CIDR type field like this

bowesmana_0-1608175537749.png

then just use the lookup definition in the lookup command, not the file itself, so

base search
| lookup ips Src_ip as src_ip output Src_ip as ipFound
...

so this assumes your event field is src_ip and the CSV file has a column called Src_ip. After this executes, you will have a new field ipFound if the IP exists in the CIDR range of one of the ranges, or null if not.

You can then do this

| where isnull(ipFound)

to see if it was NOT found

0 Karma
.conf21 CFS Extended through 5/20!

Don't miss your chance
to share your Splunk
wisdom in-person or
virtually at .conf21!

Call for Speakers has
been extended through
Thursday, 5/20!