Splunk Search
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Modify search string from input field to search IP addr db

horst_poehlmann
Explorer
‎02-05-2019 04:25 PM

I'm trying to create a dashboard that lets a user input an IP address and then search through the IP address database to search for the subnet and location.

e.g. if someone enters 10.10.10.123, it would basically do a search through a csv of "10.10.10."

So I've tried this for example (among a 1000 other things)
| inputlookup IPAM-Allnetworks.csv
| search address=10.10.10.123 (This would obviously be the $address$ from the form)
| rex field=address "(?\d+.\d+.\d+.)\d+"
| where address = src_subnet
| table address cidr location VLAN (i.e. interesting fields from CSV)

Yes, this will only work for /24 subnets, but will cover most use cases.

The problem I see is that I need to extract the fields before actually searching. I can see why my search doesn't work but not sure how to fix it.

Tags (1)
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 04:51 PM

You need to do something like this

|makeresults 
| eval ip = 10.10.10.123 (This would obviously be the $address$ from the form)
| rex field=ip "(?<address>\d+.\d+.\d+.)\d+" 
| lookup IPAM-Allnetworks.csv address OUTPUT
| table address cidr location VLAN (i.e. interesting fields from CSV)

This code assumes that your CSV has a column called "address" in it

0 Karma
Reply

horst_poehlmann
Explorer
‎02-07-2019 03:08 PM

The lines of the lookup table look something like this:

network,10.10.10.0,255.255.255.0,10.10.10.0/255.255.255.0,,,,,,Core/Server Room,,,,,FALSE,,,,,,,,,FALSE,FALSE,,,,,,,FALSE,LAN Addressing,,,,95,85,0,10,,,,,,,,,,,,,Site ABC,,OVERRIDE,432,,Voice Vlan222,*,OVERRIDE

I'm searching on field 2 (which is the "address" field).

I sort of got it working by adding a "0" to the extracted field, e.g.

|makeresults
| eval ip = "10.10.10.123"
| rex field=ip "(?\d+.\d+.\d+.)\d+"
| eval address=address1."0"
| lookup IPAM-Allnetworks address OUTPUT
| table

but is there a way to do a wildcard search instead? (i.e. 10.10.10.*)

Thx

PS: Not sure what happened to the previous comments.

0 Karma
Reply

horst_poehlmann
Explorer
‎02-05-2019 04:59 PM

Thanks. I tried something similar, but the eval command gives me:

Error in 'eval' command: The number 10.10.10.123 is invalid.

0 Karma
Reply

horst_poehlmann
Explorer
‎02-05-2019 05:09 PM

Quotes around it worked. I just need to work out how to add a "*" wildcard to the end of the search so that it searches:

address=10.10.10.*

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 05:18 PM

You need to show a couple of sample rows from your lookup so we can help you better. I assumed the lookup had an "address" column with just the first three octets in the column

0 Karma
Reply

horst_poehlmann
Explorer
‎02-06-2019 06:22 PM

Sorry. The lines look something like this:

network,10.10.10.0,255.255.255.0,10.10.10.0/255.255.255.0,,,,,,Core/Server Room,,,,,FALSE,,,,,,,,,FALSE,FALSE,,,,,,,FALSE,LAN Addressing,,,,95,85,0,10,,,,,,,,,,,,,Site ABC,,OVERRIDE,432,,Voice Vlan222,*,OVERRIDE

I'm searching on field 2 (address).
Thx

0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Answers Content Calendar, June Edition

Get ready for this week’s post dedicated to Splunk Dashboards! We're celebrating the power of community by ...

What You Read The Most: Splunk Lantern’s Most Popular Articles!

Splunk Lantern is a Splunk customer success center that provides advice from Splunk experts on valuable data ...

See your relevant APM services, dashboards, and alerts in one place with the updated ...

As a Splunk Observability user, you have a lot of data you have to manage, prioritize, and troubleshoot on a ...
Top