Splunk Search
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Site name from lookup table based on IP address

eransh10
New Member
‎11-16-2017 10:00 AM

Hi splunk guru's.
I'm trying to find a way (using SPL only - i am not an admin) to do the following:
My vulnerability data feed has IP address of the vulnerable machine with description of the specific vulnerability.
I also have a lookup table with site information based on CIRD - like that one:
Site: IP Range:
TexasOffice 10.12.1.0/24

What I want is to be able to pull the Site name near the IP.
So If my SPL query gives me the following:
IP, Vulnerability Description, Vulnerability name.
I would like to be able to add the Site name at the end of if without changing transforms.conf since I have no admin rights to splunk.

Tags (1)
0 Karma
Reply

MonkeyK
Builder
‎11-16-2017 12:35 PM

Eransh,
There are ways to create the lookup file without admin

if the file is small, you can manually create the entries and append them to a lookup file. 

|makeresults | eval site="TexasOffice" src_ip="10.12.1.0/24" 
| append [|makeresults | eval site="NextOffice" src_ip="10.12.2.0/24" 
...repeat the above line for each office
|outputlookup append=t mysites.csv

if the file is larger and /or you have more lookups to create, you can get your admin to install the Lookup File Editor app. This will let you create and modify files, even import them based on a local CSV

Lookup will do CIDR matching. You will need to make sure that the src_ip field matches your ip field

    <mysearch> | lookup mysites.csv src_ip as <ip from mysearch> OUPUT site
0 Karma
Reply

niketn
Legend
‎11-16-2017 11:47 AM

@eransh10, your Splunk Admin will have to upload the lookup file and create the lookup definition for you to write required query. Once both are done you can use lookup command to map IP to respective site name.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Data Management Digest – December 2025

Welcome to the December edition of Data Management Digest! As we continue our journey of data innovation, the ...

Index This | What is broken 80% of the time by February?

December 2025 Edition   Hayyy Splunk Education Enthusiasts and the Eternally Curious!    We’re back with this ...

Unlock Faster Time-to-Value on Edge and Ingest Processor with New SPL2 Pipeline ...

Hello Splunk Community,   We're thrilled to share an exciting update that will help you manage your data more ...