Hello,
I've been searching the internet for quite a while. But can't find any approach.
I have a primary search that looks for IP networks in a CSV based on various parameters, such as location (inputlookup), and then creates a CIDR including the bit length of the subnet mask.
Based on this search, I want to search for IPs in a second table.
In principle, I have already implemented this in a (initially poor) solution by using a token that I pass from one search to the other and then use a CIDRMATCH there. This works fine as long as I only have a one-to-one search result in the first search
Now I have the problem that the first search returns multiple results (e.g. multiple subnets at one location) and I want to search for matching IPs in the second CSV for all found subnets.
This is what the first search (already defined as base search) looks like:
<search id="base">
<query>
| inputlookup list_of_subnet_sand_sites
| search City="*" Street="*" NetIP="10.5.*.*"
| rename NetMask AS mask
| lookup ip_mask_prefix.csv mask OUTPUT prefix
| rename mask AS NetMask
| eval CIDRNet_mv = mvappend(NetIP , "/", prefix)
| eval CIDRNet = mvjoin(CIDRNet_mv, "")
</query>
<done>
<set token="CIDR_tok">$result.CIDRNet$</set>
</done>
</search>
The first search displays perhaps 25 different IP subnets.
And the second search is (Currently I don't make use of the BS, but I want to).
<search>
<query>
| inputlookup list_of_devices
| where cidrmatch("$CIDR_tok$", devIP)
| sort devIP
</query>
</search>
I tried already something with subsearches, lookups, append and appendpipe.
Thank you all.
Give this a try (workaround, dynamically generating where clause with cidrmatch filters):
| inputlookup list_of_devices
| where cidrmatch("$CIDR_tok$", devIP)
| where [| inputlookup list_of_subnet_sand_sites
| search City="*" Street="*" NetIP="10.5.*.*"
| rename NetMask AS mask
| lookup ip_mask_prefix.csv mask OUTPUT prefix
| rename mask AS NetMask
| eval CIDRNet_mv = mvappend(NetIP , "/", prefix)
| eval CIDRNet = mvjoin(CIDRNet_mv, "")
| eval search="cidrmatch(\"".CIDRNet."\",devIP)"
| table search
| format "" "" "" "" "OR" ""
| eval search=replace(replace(replace(search,"\\\\",""),"\"c","c"),"\)\"",")")
]
| sort devIP
You could also create a new lookup with lookup definition of cidrmatch and use that to filter records. See this for reference: https://splunkonbigdata.com/cidr-lookup-in-splunk/
Thanks, I will try this approach. Currently I am having some issues with malformed "where" commands. I will leave an update when I got further.