Splunk Search

Search against lookup table with both CIDR and regular addresses

tromero3
Path Finder

I have a lookup table consisting of both CIDR addresses and regular x.x.x.x addresses under the field named "IP_Address". The lookup definition has  Match type:  <CIDR>(<IP_Address>)

I need to create a search against data model that only shows events where the src in the events matches the IP_Address field in the lookup table.   I will also add additional fields from the events to the search results: _time, action, IP_Address/src, dest, dest_port.  I would also like to add an additional field from the lookup table called "Date Blocked".

I have this so far for the first part, but it is not returning any results. Any suggestions? Thank you in advance 🙂

 

 

from datamodel:"Network" |where [inputlookup Blocked_IPs | rename src as IP_Address | fields IP_Address ]| table _time, action, IP_Address, dest, dest_port

 

 

Labels (1)
0 Karma
Get Updates on the Splunk Community!

Detecting Remote Code Executions With the Splunk Threat Research Team

WATCH NOWRemote code execution (RCE) vulnerabilities pose a significant risk to organizations. If exploited, ...

Enter the Splunk Community Dashboard Challenge for Your Chance to Win!

The Splunk Community Dashboard Challenge is underway! This is your chance to showcase your skills in creating ...

.conf24 | Session Scheduler is Live!!

.conf24 is happening June 11 - 14 in Las Vegas, and we are thrilled to announce that the conference catalog ...