Hi splunk guru's.
I'm trying to find a way (using SPL only - i am not an admin) to do the following:
My vulnerability data feed has IP address of the vulnerable machine with description of the specific vulnerability.
I also have a lookup table with site information based on CIRD - like that one:
Site: IP Range:
TexasOffice 10.12.1.0/24
What I want is to be able to pull the Site name near the IP.
So If my SPL query gives me the following:
IP, Vulnerability Description, Vulnerability name.
I would like to be able to add the Site name at the end of if without changing transforms.conf since I have no admin rights to splunk.
Eransh,
There are ways to create the lookup file without admin
if the file is small, you can manually create the entries and append them to a lookup file.
|makeresults | eval site="TexasOffice" src_ip="10.12.1.0/24"
| append [|makeresults | eval site="NextOffice" src_ip="10.12.2.0/24"
...repeat the above line for each office
|outputlookup append=t mysites.csv
if the file is larger and /or you have more lookups to create, you can get your admin to install the Lookup File Editor app. This will let you create and modify files, even import them based on a local CSV
Lookup will do CIDR matching. You will need to make sure that the src_ip field matches your ip field
<mysearch> | lookup mysites.csv src_ip as <ip from mysearch> OUPUT site
@eransh10, your Splunk Admin will have to upload the lookup file and create the lookup definition for you to write required query. Once both are done you can use lookup command to map IP to respective site name.
http://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Lookup