Splunk Search

Nested inputlookup with where clause

MattKr
Explorer

I am trying to build my own kvstore geo data, so far i can run

| inputlookup geobeta
| where endIPNum >= 1317914622 and startIPNum <= 1317914622
| table latitude,longitude

That returns:

latitude,longitude
"51.5128","-0.0638"

But how do i combine this with a search?

I was trying this but it doesn't work:

| makeresults
eval ip_address_integer=1317914622
[ | inputlookup geobeta
| where endIPNum >= ip_address_integer and startIPNum <= ip_address_integer ]

 

Many thanks for hints

Labels (2)
0 Karma
1 Solution

ITWhisperer
SplunkTrust
SplunkTrust

Subsearches are executed before the main search so your ip_address_integer has no value when the inputlookup is executed.

You could try using the map command (although this has its limitations and perhaps should be avoided where possible).

| makeresults
| eval ip_address_integer = 1317914622
| map search="| inputlookup geobeta
| where endIPNum >= $ip_address_integer$ AND startIPNum <= $ip_address_integer$
| table latitude,longitude"

View solution in original post

ITWhisperer
SplunkTrust
SplunkTrust

Subsearches are executed before the main search so your ip_address_integer has no value when the inputlookup is executed.

You could try using the map command (although this has its limitations and perhaps should be avoided where possible).

| makeresults
| eval ip_address_integer = 1317914622
| map search="| inputlookup geobeta
| where endIPNum >= $ip_address_integer$ AND startIPNum <= $ip_address_integer$
| table latitude,longitude"

MattKr
Explorer

Thank you very much, that explains it!
I was able to complete my little proof of concept, this is my complete search:

sourcetype=nftemp
| top 100 SRC
| eval ip_address = SRC
| eval ip_dot_decimal_split=split(ip_address,".")
| eval first=mvindex(ip_dot_decimal_split,0),second=mvindex(ip_dot_decimal_split,1),third=mvindex(ip_dot_decimal_split,2),fourth=mvindex(ip_dot_decimal_split,3)
| fields - ip_dot_decimal_split
| eval first=first*pow(256,3),second=second*pow(256,2),third=third*256
| eval ip_address_integer=first+second+third+fourth
| map search=" | inputlookup geobeta 
| where endIPNum >= $ip_address_integer$ AND startIPNum <= $ip_address_integer$
| eval ip=$ip_address$
| eval mapcount=$count$
| sort mapcount
| table mapcount,ip,country_iso_code,latitude,longitude,ASName,ASNumber" maxsearches=20000

 

The sourcetype is a random generated nftables log with a few IPs in it, then convert the ip's to decimal
and do the search against the geobeta lookup. The source of the geobeta lookup contains also only a few records, not sure how it will perform when the geobeta lookup will have millions of records in it, lets see ... geobeta comes from maxmind by the way.

0 Karma

gcusello
SplunkTrust
SplunkTrust

Hi @MattKr ,

what have you to do? use the lookup's geo coordinates to filter results or what else?

if you want to use the values in the lookup for a subsearch, you have to use the rules of a subsearch, so the fields in the subsearch must have the same field names.

Then you can use thewhere clause inside the inputlookup command.

Put attention that the AND logical operator must be in uppercase to be recognized:

| inputlookup geobeta WHERE endIPNum>=1317914622 AND startIPNum<=1317914622
| table latitude longitude

Then, how are your IP address written?

At least, using lookups, you can also have CIDR match type as described at https://docs.splunk.com/Documentation/SplunkCloud/latest/Knowledge/Usefieldlookupstoaddinformationto... 

Ciao.

Giuseppe

MattKr
Explorer

Hi Giuseppe,
thanks for your response.
I would like to expand the IPv4 addresses and are looking for lat/lon, country and AS informations.
As i do already have the maxmind database in my own mySQL i thought to convert the data into a kvstore
and get my data from there.

None of the Apps on the market had ready suited for me unless i missed one, so i thought to do this by my own .. its just a hobby ...

Cheers

Matthias

0 Karma
Get Updates on the Splunk Community!

Splunk Enterprise Security 8.0.2 Availability: On cloud and On-premise!

A few months ago, we released Splunk Enterprise Security 8.0 for our cloud customers. Today, we are excited to ...

Logs to Metrics

Logs and Metrics Logs are generally unstructured text or structured events emitted by applications and written ...

Developer Spotlight with Paul Stout

Welcome to our very first developer spotlight release series where we'll feature some awesome Splunk ...