Splunk Search
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Site name from lookup table based on IP address

eransh10
New Member
‎11-16-2017 10:00 AM

Hi splunk guru's.
I'm trying to find a way (using SPL only - i am not an admin) to do the following:
My vulnerability data feed has IP address of the vulnerable machine with description of the specific vulnerability.
I also have a lookup table with site information based on CIRD - like that one:
Site: IP Range:
TexasOffice 10.12.1.0/24

What I want is to be able to pull the Site name near the IP.
So If my SPL query gives me the following:
IP, Vulnerability Description, Vulnerability name.
I would like to be able to add the Site name at the end of if without changing transforms.conf since I have no admin rights to splunk.

Tags (1)
0 Karma
Reply

MonkeyK
Builder
‎11-16-2017 12:35 PM

Eransh,
There are ways to create the lookup file without admin

if the file is small, you can manually create the entries and append them to a lookup file. 

|makeresults | eval site="TexasOffice" src_ip="10.12.1.0/24" 
| append [|makeresults | eval site="NextOffice" src_ip="10.12.2.0/24" 
...repeat the above line for each office
|outputlookup append=t mysites.csv

if the file is larger and /or you have more lookups to create, you can get your admin to install the Lookup File Editor app. This will let you create and modify files, even import them based on a local CSV

Lookup will do CIDR matching. You will need to make sure that the src_ip field matches your ip field

    <mysearch> | lookup mysites.csv src_ip as <ip from mysearch> OUPUT site
0 Karma
Reply

niketn
Legend
‎11-16-2017 11:47 AM

@eransh10, your Splunk Admin will have to upload the lookup file and create the lookup definition for you to write required query. Once both are done you can use lookup command to map IP to respective site name.

http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup

____________________________________________
| makeresults | eval message= "Happy Splunking!!!"
0 Karma
Reply
Get Updates on the Splunk Community!

Announcing Scheduled Export GA for Dashboard Studio

We're excited to announce the general availability of Scheduled Export for Dashboard Studio. Starting in ...

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics GA in US-AWS!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...