Splunk Search

Modify search string from input field to search IP addr db

horst_poehlmann
Explorer

I'm trying to create a dashboard that lets a user input an IP address and then search through the IP address database to search for the subnet and location.

e.g. if someone enters 10.10.10.123, it would basically do a search through a csv of "10.10.10."

So I've tried this for example (among a 1000 other things)
| inputlookup IPAM-Allnetworks.csv
| search address=10.10.10.123 (This would obviously be the $address$ from the form)
| rex field=address "(?\d+.\d+.\d+.)\d+"
| where address = src_subnet
| table address cidr location VLAN (i.e. interesting fields from CSV)

Yes, this will only work for /24 subnets, but will cover most use cases.

The problem I see is that I need to extract the fields before actually searching. I can see why my search doesn't work but not sure how to fix it.

Tags (1)
0 Karma

chrisyounger
SplunkTrust
SplunkTrust

You need to do something like this

|makeresults 
| eval ip = 10.10.10.123 (This would obviously be the $address$ from the form)
| rex field=ip "(?<address>\d+.\d+.\d+.)\d+" 
| lookup IPAM-Allnetworks.csv address OUTPUT
| table address cidr location VLAN (i.e. interesting fields from CSV)

This code assumes that your CSV has a column called "address" in it

0 Karma

horst_poehlmann
Explorer

The lines of the lookup table look something like this:

network,10.10.10.0,255.255.255.0,10.10.10.0/255.255.255.0,,,,,,Core/Server Room,,,,,FALSE,,,,,,,,,FALSE,FALSE,,,,,,,FALSE,LAN Addressing,,,,95,85,0,10,,,,,,,,,,,,,Site ABC,,OVERRIDE,432,,Voice Vlan222,*,OVERRIDE

I'm searching on field 2 (which is the "address" field).

I sort of got it working by adding a "0" to the extracted field, e.g.

|makeresults
| eval ip = "10.10.10.123"
| rex field=ip "(?\d+.\d+.\d+.)\d+"
| eval address=address1."0"
| lookup IPAM-Allnetworks address OUTPUT
| table

but is there a way to do a wildcard search instead? (i.e. 10.10.10.*)

Thx

PS: Not sure what happened to the previous comments.

0 Karma

horst_poehlmann
Explorer

Thanks. I tried something similar, but the eval command gives me:

Error in 'eval' command: The number 10.10.10.123 is invalid.

0 Karma

horst_poehlmann
Explorer

Quotes around it worked. I just need to work out how to add a "*" wildcard to the end of the search so that it searches:

address=10.10.10.*

0 Karma

chrisyounger
SplunkTrust
SplunkTrust

You need to show a couple of sample rows from your lookup so we can help you better. I assumed the lookup had an "address" column with just the first three octets in the column

0 Karma

horst_poehlmann
Explorer

Sorry. The lines look something like this:

network,10.10.10.0,255.255.255.0,10.10.10.0/255.255.255.0,,,,,,Core/Server Room,,,,,FALSE,,,,,,,,,FALSE,FALSE,,,,,,,FALSE,LAN Addressing,,,,95,85,0,10,,,,,,,,,,,,,Site ABC,,OVERRIDE,432,,Voice Vlan222,*,OVERRIDE

I'm searching on field 2 (address).
Thx

0 Karma
Get Updates on the Splunk Community!

Prove Your Splunk Prowess at .conf25—No Prereqs Required!

Your Next Big Security Credential: No Prerequisites Needed We know you’ve got the skills, and now, earning the ...

Splunk Observability Cloud's AI Assistant in Action Series: Observability as Code

This is the sixth post in the Splunk Observability Cloud’s AI Assistant in Action series that digs into how to ...

Splunk Answers Content Calendar, July Edition I

Hello Community! Welcome to another month of Community Content Calendar series! For the month of July, we will ...