Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Modify search string from input field to search IP addr db

horst_poehlmann
Explorer
‎02-05-2019 04:25 PM

I'm trying to create a dashboard that lets a user input an IP address and then search through the IP address database to search for the subnet and location.

e.g. if someone enters 10.10.10.123, it would basically do a search through a csv of "10.10.10."

So I've tried this for example (among a 1000 other things)
| inputlookup IPAM-Allnetworks.csv
| search address=10.10.10.123 (This would obviously be the $address$ from the form)
| rex field=address "(?\d+.\d+.\d+.)\d+"
| where address = src_subnet
| table address cidr location VLAN (i.e. interesting fields from CSV)

Yes, this will only work for /24 subnets, but will cover most use cases.

The problem I see is that I need to extract the fields before actually searching. I can see why my search doesn't work but not sure how to fix it.

Tags (1)
0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 04:51 PM

You need to do something like this

|makeresults 
| eval ip = 10.10.10.123 (This would obviously be the $address$ from the form)
| rex field=ip "(?<address>\d+.\d+.\d+.)\d+" 
| lookup IPAM-Allnetworks.csv address OUTPUT
| table address cidr location VLAN (i.e. interesting fields from CSV)

This code assumes that your CSV has a column called "address" in it

0 Karma
Reply

horst_poehlmann
Explorer
‎02-07-2019 03:08 PM

The lines of the lookup table look something like this:

network,10.10.10.0,255.255.255.0,10.10.10.0/255.255.255.0,,,,,,Core/Server Room,,,,,FALSE,,,,,,,,,FALSE,FALSE,,,,,,,FALSE,LAN Addressing,,,,95,85,0,10,,,,,,,,,,,,,Site ABC,,OVERRIDE,432,,Voice Vlan222,*,OVERRIDE

I'm searching on field 2 (which is the "address" field).

I sort of got it working by adding a "0" to the extracted field, e.g.

|makeresults
| eval ip = "10.10.10.123"
| rex field=ip "(?\d+.\d+.\d+.)\d+"
| eval address=address1."0"
| lookup IPAM-Allnetworks address OUTPUT
| table

but is there a way to do a wildcard search instead? (i.e. 10.10.10.*)

Thx

PS: Not sure what happened to the previous comments.

0 Karma
Reply

horst_poehlmann
Explorer
‎02-05-2019 04:59 PM

Thanks. I tried something similar, but the eval command gives me:

Error in 'eval' command: The number 10.10.10.123 is invalid.

0 Karma
Reply

horst_poehlmann
Explorer
‎02-05-2019 05:09 PM

Quotes around it worked. I just need to work out how to add a "*" wildcard to the end of the search so that it searches:

address=10.10.10.*

0 Karma
Reply

chrisyounger
SplunkTrust
SplunkTrust
‎02-05-2019 05:18 PM

You need to show a couple of sample rows from your lookup so we can help you better. I assumed the lookup had an "address" column with just the first three octets in the column

0 Karma
Reply

horst_poehlmann
Explorer
‎02-06-2019 06:22 PM

Sorry. The lines look something like this:

network,10.10.10.0,255.255.255.0,10.10.10.0/255.255.255.0,,,,,,Core/Server Room,,,,,FALSE,,,,,,,,,FALSE,FALSE,,,,,,,FALSE,LAN Addressing,,,,95,85,0,10,,,,,,,,,,,,,Site ABC,,OVERRIDE,432,,Voice Vlan222,*,OVERRIDE

I'm searching on field 2 (address).
Thx

0 Karma
Reply
Get Updates on the Splunk Community!

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...

Introducing the 2024 SplunkTrust!

Hello, Splunk Community! We are beyond thrilled to announce our newest group of SplunkTrust members!  The ...